Access-Control-Allow-Origin

Access-Control-Allow-Origin header is part of a response from a server that determines which origins the browser can access after receiving resources from the server.

• If the browser's webpage attempts to make a HTTP request to a different origin and the origin is not listed in the allowed origin list, the browser blocks the request to another origin.

Access-Control-Allow-Origin: https://developer.mozilla.org

• Above would allow requests from the origin https://developer.mozilla.org to access a resource.

The set "allowed origin" list is checked on every subsequent requests beyond the initial request.

# app running on
https://app.com

# makes request to
https://api.com

# api.com server responds with
Access-Control-Allow-Origin: https://app.com

# browser checks the header, matches the origin of the request
https://app.com

# browser proceeds with the request

Preflight request

Preflight requests send OPTIONS request before the actual request to check if the server permits the cross-origin request.

• If the server responds with a valid Access-Control-Allow-Origin header, the browser then proceeds with the actual request.

* wildcard

Response that tells the browser to allow code from any origin to access a resource.

Access-Control-Allow-Origin: *

* (any site) wildcard should ONLY be allowed for public APIs.

Private APIs should never use *, and should instead have a specific domains set.

The wildcard only works for requests made with the crossorigin attribute set to anonymous.

• This prevents sending credentials like cookies in requests.