Explain
CORS (Access-Control-Allow-*)
CORS controls which origins can read responses from your server when browsers make cross-origin requests.
InfoCategory: cors
What it is
CORS is enforced by browsers. Your server tells the browser which other origins may read responses.
Common pitfalls
- Using '*' with credentials (not allowed).
- Overly broad allowlists (security risk).
- Forgetting OPTIONS preflight handling.
- Not sending Vary: Origin when dynamically setting Access-Control-Allow-Origin.
Related guides