Devii · APIs & integration · 2026-03-19 · 7 min read

Share

CORS Explained Correctly: Browser Enforcement, Not Server Authorization

The Fetch living standard's CORS mechanism: preflight, ACAO headers, and common misconceptions.

**Cross-Origin Resource Sharing (CORS)** is enforced by **browsers**, not by curl or server-to-server calls. A page at `https://a.example` requesting `https://b.example` triggers CORS checks on the response headers.

Simple GET requests may proceed without preflight; methods like `PUT` or custom headers trigger an **OPTIONS preflight**. The server must echo `Access-Control-Allow-Origin` (specific origin or careful `*` without credentials) and allowed methods/headers.

Integration testing
Integration testing

CORS does not stop attackers from calling your API directly. Authentication and authorization remain server responsibilities. Misconfigured `Access-Control-Allow-Origin: *` with credentials enabled is invalid per spec.

Read the Fetch standard on `fetch.spec.whatwg.org`. For public APIs, document CORS policy alongside API keys and OAuth scopes.