CORS Explained Once and For All: Why the Browser Blocks Your Requests

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts web pages from making HTTP requests to a different origin than the page was loaded from. An 'origin' is the combination of protocol, domain, and port — so https://app.example.com and https://api.example.com are different origins even though they share a domain. Without CORS restrictions, a malicious website could make API requests to your bank's API using your existing authentication cookies, potentially reading your account data or initiating transfers. CORS is a browser enforcement; it doesn't apply to server-to-server requests or curl — only to requests made from browser JavaScript.

A preflight request is an automatic OPTIONS request the browser sends before a 'non-simple' cross-origin request to check whether the server allows it. Simple requests (GET or POST with only simple headers and application/x-www-form-urlencoded, text/plain, or multipart/form-data content type) don't get a preflight. Most API calls do: PUT, DELETE, PATCH methods trigger preflights, as does POST with application/json content type, or any request with custom headers like Authorization. The browser sends OPTIONS to the server asking 'will you accept this request from this origin?' If the server responds with the right Allow headers, the actual request proceeds. If not, the browser blocks it with a CORS error.

It depends on the endpoint. Wildcard (*) is appropriate for purely public APIs that don't use cookies or require authentication — like a weather API, a public data API, or a CDN serving assets. It's not appropriate for authenticated endpoints. When Access-Control-Allow-Origin is *, browsers won't send cookies or Authorization headers (Access-Control-Allow-Credentials: true can't be used with wildcard origin). So an authenticated API with * is accessible to any site's JavaScript but without authentication context, which may be fine. The risk is for APIs that rely on implicit authentication — like APIs that check the user's session based on cookies. For those, specify exact allowed origins rather than wildcard.