CORS
Definition
Cross-Origin Resource Sharing - mechanism that allows web pages to access resources from other domains, enhancing web application functionality.
Use Cases
- GitHub: Allowing browser-based apps and tools to call the GitHub REST API from approved origins while protecting users from unauthorized cross-site requests. — GitHub’s API responses include CORS-related HTTP headers (for example, Access-Control-Allow-Origin) so browsers can enforce cross-origin rules when a web app hosted on a different domain makes requests to api.github.com. (Enables legitimate third-party web integrations and developer tooling to work in browsers while maintaining a controlled security boundary for cross-origin access.)
- Stripe: Supporting web applications that need to communicate with Stripe APIs from a different domain than the app’s backend, while ensuring browsers only allow permitted cross-origin interactions. — Stripe’s API endpoints return appropriate CORS headers for browser contexts, and Stripe’s client-side libraries are designed to work with browser security constraints (including CORS and preflight requests). (Improves developer experience for web integrations and reduces integration friction while preserving browser-enforced security controls.)
Frequently Asked Questions
- What's the difference between CORS and the Same-Origin Policy (SOP)?
- The Same-Origin Policy is the browser’s default rule that blocks a web page from reading responses from a different origin (scheme + host + port). CORS is the standard way for a server to explicitly relax that rule for specific origins by sending HTTP headers that tell the browser it’s allowed.
- When should I use CORS?
- Use CORS when a browser-based frontend (for example, https://app.example.com) needs to call an API or fetch resources hosted on a different origin (for example, https://api.example.com). Configure CORS on the API/resource server to allow only the specific origins, methods, and headers your app needs.
- How much does CORS cost?
- CORS itself is a free HTTP/browser standard—there’s no direct licensing cost. Indirect costs come from the infrastructure serving requests (API gateway, load balancer, CDN, object storage) and from extra CORS preflight (OPTIONS) requests that can increase request volume and latency, which may affect usage-based cloud billing.
Category: security
Difficulty: intermediate
See Also