CORS (Cross-Origin Resource Sharing) is an HTTP-header-based security mechanism that allows servers to explicitly permit cross-origin requests from web browsers, working as a controlled exception to the browser's Same-Origin Policy (SOP). SOP restricts scripts on one origin (protocol, domain, and port combination) from accessing resources on a different origin, preventing malicious sites from reading sensitive data. CORS enables legitimate cross-domain communication by having the server send specific response headers (Access-Control-Allow-Origin, Access-Control-Allow-Methods, etc.) that instruct the browser whether to allow the requesting origin access. A critical insight: CORS is enforced by browsers, not servers—the server responds with headers indicating policy, but the browser ultimately decides whether to expose the response to the requesting JavaScript, meaning server-side logs will show requests even when the browser blocks the response from reaching your code.