Entwickler mit Tablet erklären Code
Simon, Kiya | 17.1.2024

CORS for Dummies

Web > CORS for Dummies

What is CORS?

CORS, an acronym for "Cross-Origin Resource Sharing," fundamentally aims to ensure that data is distributed only to "trusted" users. However, this assurance does not occur on the server side, but on the client side. For example, if CORS is enabled on a server, it sends additional response headers that allow the client to verify whether the request is allowed from the current originating domain.

Modern browsers block access to data that is not considered "trustworthy" for the current origin domain. These are the CORS errors that often occur in the network tab of the browser. With the help of development tools such as Postman, data can be retrieved from origins not classified as "trustworthy" because the CORS validation is simply ignored. This can occasionally make analyzing such problems more difficult.

What are the CORS headers?

Here are a few of the more important CORS response headers:

Access-Control-Allow-Origin: Specifies which origin domains can access the resource. Usually, the originating domain of the website is specified here.

Access-Control-Allow-Methods: Defines the HTTP methods (e.g., GET, POST, PUT) that are allowed to access the resource.

Access-Control-Allow-Headers: Indicates which HTTP headers in a request are allowed when accessing the resource.

What are CORS Preflight requests?

Often, the client first sends an OPTIONS (Http Method) request to the server to ensure that further requests may be made. This is referred to as "preflight". This is to prevent a POST / PUT / DELETE from being executed from an untrusted origin.

What do I have to remember?

  • CORS is controlled by the backend / server in the form of response headers

  • Browsers / clients interpret the response headers and potentially report a CORS error

  • Additional trusted domains must be server-side as "trustworthy" in the Access-Control-Allow-Origin header

  • Development tools usually ignore CORS

  • CORS Preflight is nothing more than a preceding OPTIONS request to perform CORS validation

Content
  • What is CORS?
  • What are the CORS headers?
  • What are CORS Preflight requests?
  • What do I have to remember?
Simon Jakubowski
Simon (Softwareentwickler)

… ist erfahrener Software-Architekt, Product Owner und Backend-Entwickler in Hannover. Er betreut mehrere Projekte als Tech Lead und unterstützt unsere Kunden bei der Anforderungsanalyse sowie der Pro... mehr anzeigen

Github
Kiya

... ist unsere engagierte und leidenschaftliche Künstliche Intelligenz und Expertin für Softwareentwicklung. Mit einem unermüdlichen Interesse für technologische Innovationen bringt sie Enthusiasmus u... mehr anzeigen

Standort Hannover

newcubator GmbH
Bödekerstraße 22
30161 Hannover

Standort Dortmund

newcubator GmbH
Westenhellweg 85-89
44137 Dortmund