CORS (Cross-Origin Resource Sharing) Cheat Sheet

Updated 2026-03-10

CORS (Cross-Origin Resource Sharing) is an HTTP-header-based security mechanism that allows servers to explicitly permit cross-origin requests from web browsers, working as a controlled exception to the browser's Same-Origin Policy (SOP). SOP restricts scripts on one origin (protocol, domain, and port combination) from accessing resources on a different origin, preventing malicious sites from reading sensitive data. CORS enables legitimate cross-domain communication by having the server send specific response headers (Access-Control-Allow-Origin, Access-Control-Allow-Methods, etc.) that instruct the browser whether to allow the requesting origin access. A critical insight: CORS is enforced by browsers, not servers—the server responds with headers indicating policy, but the browser ultimately decides whether to expose the response to the requesting JavaScript, meaning server-side logs will show requests even when the browser blocks the response from reaching your code.

What This Cheat Sheet Covers

This topic spans 16 focused tables and 84 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Core CORS ConceptsTable 2: CORS Response Headers (Server → Browser)Table 3: CORS Request Headers (Browser → Server)Table 4: Request Modes and Credential HandlingTable 5: Safelisted Request Headers and Content-TypesTable 6: Simple Request ConditionsTable 7: Preflight Request TriggersTable 8: Preflight Response RequirementsTable 9: Common CORS Error MessagesTable 10: CORS Security VulnerabilitiesTable 11: CORS Best PracticesTable 12: Server-Side CORS Implementation (Node.js/Express)Table 13: CORS Configuration in Other FrameworksTable 14: CORS with Proxies and CDNsTable 15: CORS Debugging and TestingTable 16: Advanced CORS Topics

Table 1: Core CORS Concepts

Concept	Example	Description
Same-Origin Policy (SOP)	`https://app.com:443` `https://app.com:8080` = different	• Browser security restricting scripts from one origin accessing another • origins match only if protocol, domain, and port are identical.
Origin	`https://api.example.com:443`	• Combination of scheme (protocol), host (domain), and port • defines request boundary for SOP.
Cross-Origin Request	Page at `https://app.com` fetches `https://api.other.com/data`	• HTTP request where the requesting origin differs from the resource origin • triggers CORS checks in browsers.
Preflight Request	`OPTIONS /api/users HTTP/1.1` `Origin: https://app.com`	• Automatic browser-sent OPTIONS request before non-simple requests to check if actual request is permitted • servers respond with allowed methods/headers.

Table 1: Core CORS Concepts

Concept	Example	Description
Same-Origin Policy (SOP)	`https://app.com:443` `https://app.com:8080` = different	• Browser security restricting scripts from one origin accessing another • origins match only if protocol, domain, and port are identical.
Origin	`https://api.example.com:443`	• Combination of scheme (protocol), host (domain), and port • defines request boundary for SOP.
Cross-Origin Request	Page at `https://app.com` fetches `https://api.other.com/data`	• HTTP request where the requesting origin differs from the resource origin • triggers CORS checks in browsers.
Preflight Request	`OPTIONS /api/users HTTP/1.1` `Origin: https://app.com`	• Automatic browser-sent OPTIONS request before non-simple requests to check if actual request is permitted • servers respond with allowed methods/headers.