Devii · APIs & integration · 2026-03-19 · 7 min read
CORS Explained Correctly: Browser Enforcement, Not Server Authorization
The Fetch living standard's CORS mechanism: preflight, ACAO headers, and common misconceptions.
**Cross-Origin Resource Sharing (CORS)** is enforced by **browsers**, not by curl or server-to-server calls. A page at `https://a.example` requesting `https://b.example` triggers CORS checks on the response headers.
Simple GET requests may proceed without preflight; methods like `PUT` or custom headers trigger an **OPTIONS preflight**. The server must echo `Access-Control-Allow-Origin` (specific origin or careful `*` without credentials) and allowed methods/headers.
CORS does not stop attackers from calling your API directly. Authentication and authorization remain server responsibilities. Misconfigured `Access-Control-Allow-Origin: *` with credentials enabled is invalid per spec.
Read the Fetch standard on `fetch.spec.whatwg.org`. For public APIs, document CORS policy alongside API keys and OAuth scopes.