Security

What is CORS (Cross-Origin Resource Sharing)?

A browser security mechanism that controls which websites can make requests to your API. Misconfigured CORS can either block legitimate requests or allow unauthorized access.

In plain English

Your API has a VIP list. When a request arrives, the browser asks 'is this website on the VIP list?' If your API says yes (by sending the right headers), the request goes through. If not, the browser blocks it. Setting CORS to allow all origins (*) is like removing the VIP list entirely.

How it works

When your frontend (on example.com) makes a request to your API (on api.example.com), the browser checks if the API allows requests from example.com. The API responds with Access-Control-Allow-Origin headers specifying which origins are permitted. If the origin isn't allowed, the browser blocks the response. This is a browser-only protection — server-to-server requests bypass CORS entirely.

Common mistakes

Setting Access-Control-Allow-Origin to * in production — this lets any website call your API. Using credentials: 'include' with a wildcard origin (this actually fails, but developers then disable CORS entirely to fix it). Not handling preflight OPTIONS requests, causing legitimate requests to fail.

Correct configuration

In production, set Access-Control-Allow-Origin to your specific frontend domain (https://yourapp.com). If you need multiple origins, dynamically check the request origin against an allowlist. Only allow the HTTP methods and headers your frontend actually uses. Set appropriate max-age on preflight responses to reduce OPTIONS requests.

Frequently asked questions

Why do I get CORS errors in development but not production?

In development, your frontend runs on localhost:3000 and your API on localhost:8000 — different origins. Most frameworks are configured to allow all origins in development. In production, your frontend and API may share the same domain, eliminating CORS issues. Or your production CORS config is different from development.

How we can help

Security Review

Deep security analysis of your application — from API endpoints to database access.

Check your app

Get a professional review of your app at a fixed price.

Security Scan

Black-box review of your public-facing app. No code access needed.

$19
  • OWASP Top 10 checks
  • SSL/TLS analysis
  • Security headers
  • Expert review within 24h
Get Started

Code Audit

In-depth review of your source code for security, quality, and best practices.

$19
  • Security vulnerabilities
  • Code quality review
  • Dependency audit
  • AI pattern analysis
Get Started
Best Value

Complete Bundle

Both scans in one package with cross-referenced findings.

$29$38
  • Everything in both products
  • Cross-referenced findings
  • Unified action plan
Get Started

100% credited toward any paid service. Start with an audit, then let us fix what we find.

Related guides

API Security Basics for AI-Built Apps

How to secure your API endpoints.

Related terms

Cross-Site Request Forgery (CSRF)Cross-Site Scripting (XSS)API Gateway

Worried about cors (cross-origin resource sharing) in your app?

Get a professional code audit ($19) or book a free call to discuss your concerns.

Tell Us About Your App