What is CORS?
CORS, an acronym for "Cross-Origin Resource Sharing," fundamentally aims to ensure that data is distributed only to "trusted" users. However, this assurance does not occur on the server side, but on the client side. For example, if CORS is enabled on a server, it sends additional response headers that allow the client to verify whether the request is allowed from the current originating domain.
Modern browsers block access to data that is not considered "trustworthy" for the current origin domain. These are the CORS errors that often occur in the network tab of the browser. With the help of development tools such as Postman, data can be retrieved from origins not classified as "trustworthy" because the CORS validation is simply ignored. This can occasionally make analyzing such problems more difficult.
What are the CORS headers?
Here are a few of the more important CORS response headers:
Access-Control-Allow-Origin: Specifies which origin domains can access the resource. Usually, the originating domain of the website is specified here.
Access-Control-Allow-Methods: Defines the HTTP methods (e.g., GET, POST, PUT) that are allowed to access the resource.
Access-Control-Allow-Headers: Indicates which HTTP headers in a request are allowed when accessing the resource.
What are CORS Preflight requests?
Often, the client first sends an OPTIONS (Http Method) request to the server to ensure that further requests may be made. This is referred to as "preflight". This is to prevent a POST / PUT / DELETE from being executed from an untrusted origin.
What do I have to remember?
CORS is controlled by the backend / server in the form of response headers
Browsers / clients interpret the response headers and potentially report a CORS error
Additional trusted domains must be server-side as "trustworthy" in the
Development tools usually ignore CORS
CORS Preflight is nothing more than a preceding OPTIONS request to perform CORS validation