CORS explained without the headache
Why the browser blocks some requests, what Access-Control headers do, and how to fix CORS errors during development.
CORS (Cross-Origin Resource Sharing) is a browser security mechanism. It prevents JavaScript on https://app.example.com from calling https://api.other-domain.com unless the API server explicitly allows it.
Headers you should know
- Access-Control-Allow-Origin — which origins may access.
- Access-Control-Allow-Methods — allowed GET, POST, etc.
- Access-Control-Allow-Headers — permitted custom headers (Authorization, Content-Type).
- Access-Control-Allow-Credentials — whether cookies or credential tokens are sent.
"Preflight" requests (OPTIONS) appear when the browser needs permission before the real JSON POST. Configure the backend to answer OPTIONS correctly; do not disable CORS in production with unsafe wildcards.