What is CORS ? Cross-Origin Resource Sharing Explained [For Interviews]
A brief explanation of Cross-Origin Resource Sharing (CORS) concept to enable client application accessing resources from cross domain and HTTP headers involved to enable resource access.
Anuj Sharma
Last Updated Feb 6, 2026
![What is CORS ? Cross-Origin Resource Sharing Explained [For Interviews]](/_next/image?url=https%3A%2F%2Ftwijvresuxjxyhisasvd.supabase.co%2Fstorage%2Fv1%2Fobject%2Fpublic%2Fblog-images%2F5bf882d3-0967-44f5-bb29-5f33706cdfa6%2Fwhat-is-cors-cross-origin-resource-sharing-explained-for-interviews-1770356348740.png&w=3840&q=75&dpl=dpl_CmEj69TYy5uFLKGbM3sFzXL4bfwv)
Cross-Origin Resource Sharing (CORS) is a crucial security feature implemented as part of all major web browsers to restrict how web applications access resources across different domains. Here’s a detailed look into how CORS works.
What is CORS (Cross-Origin Resource Sharing) in nutshell?
CORS is a mechanism that allows servers to specify which domains are permitted to access their resources. By including specific HTTP headers in their responses, servers can control and restrict access to their data.
All the major browsers use this mechanism to provide access across domains and use HTTP headers to determine whether to allow or restrict access from one domain to another.
How CORS work?
Web browsers do the CORS requests in 2 Steps
- Preflight Request or HTTP OPTION request: When a web application initiates a cross-origin request, in many cases, the browser first sends a preflight request (HTTP OPTIONS) to the server. This preflight request checks if the server allows the actual request based on its CORS policy.
- Preflight Request Server Response: The server responds with CORS-specific headers to indicate whether the request is permitted. These headers define which origins are allowed, which HTTP methods are supported, and other relevant information.
- Actual Request: If the preflight request is successful and the server permits the actual request, the browser proceeds with sending the actual request (such as GET or POST).
Key CORS Headers Required
Access-Control-Allow-Origin
Specifies which domains are allowed to access the resource. It can be set to a specific domain, "*", or null. It is not advisable to use '*' in production applications, which means resources can be accessed by any browser client and this may cause denial-of-service attack (DoS attack) attack.
Example:
Access-Control-Allow-Origin: frontendgeek.com : Server allows to access resources from frontendgeek.com client
Access-Control-Allow-Origin: * : Server allows to access resources from any client
Access-Control-Allow-Methods
Lists the HTTP methods like GET, POST, PUT, DELETE that are permitted for cross-origin requests.
Example:
Access-Control-Allow-Methods: GET, PUT, POST : Server only permits GET, PUT and POST requests from allowed client. In case of sending any other HTTP request like DELETE then server wont process that request and reject it.
Access-Control-Allow-Headers
Enumerates the HTTP headers that can be used in the actual request.
Access-Control-Allow-Credentials
Indicates whether credentials like cookies can be included in cross-origin requests. Server will process only if it is included as part of the the response HEADER.
What is a CORS Error?
When the cross-origin request is made from the client domain (browser) and if it is not allowed by the server’s CORS policy. In this case, the browser restrict the request and generates a CORS error.
There are 2 primary ways to handle CORS error
- Configure the server to include the appropriate CORS headers which allows the client domain and the corresponding HTTP request type.
- Another possible way is to use a proxy to handle cross-origin requests.
Security Implications of CORS
CORS enhances web security by allowing servers to control access to their resources. Properly configured CORS policies/headers help prevent unauthorized data access and mitigate risks such as Cross-Site Request Forgery (CSRF) and Denial-of-service (DoS) attacks.
Example Flow
Simple Request:
- Client:
domain1.commakes a GET request todomain2.com/blogs. - Server:
domain2.comresponds with the blogs andAccess-Control-Allow-Origin: domain1.com. - Browser: Checks the CORS header
Access-Control-Allow-Origin. Ifdomain1.comis part of the header value, it allows the blogs to be accessed by the web page.
Preflight Request:
- Client:
domain1.comwants to send a PUT HTTP request todomain2.com/blogs.- In some cases, browser, sends an OPTIONS HTTP request before sending the actual request to validate the server support for CORS.
- Server:
domain2.comresponds to OPTIONS request with response headers-
Access-Control-Allow-Methods: GET, PUT, POST -
Access-Control-Allow-Headers: Content-Type.
-
- Client: In case
Access-Control-Allow-Methodscontains the PUT, then browser sends the actual PUT request. - Server: Responds to the PUT request and includes
Access-Control-Allow-Origin: domain1.com. - Browser: Checks the
Access-Control-Allow-Originheader. If domain1.com is part of the header value, it allows the resource to be accessed by the web page.
Interaction Sequence Diagram of OPTION request in CORS
By setting up CORS correctly on the server, your web pages can safely request resources from other domains, keeping your web applications secure.
A seasoned Sr. Engineering Manager at GoDaddy (Ex-Dell) with over 12+ years of experience in the frontend technologies. A frontend tech enthusiast passionate building SaaS application to solve problem. Know more about me 🚀
Learn Next
Comments
Be the first to share your thoughts!
No comments yet.
Start the conversation!
Share your expertise
Publish a blog or quick notes on topics you know well — your write-up could be the answer someone needs before their next frontend interview.
Build your portfolio
Help the community
Sharpen your skills
Earn goodies
Other Related Blogs
How does JWT (JSON Web Token) Authentication work - Pros & Cons
Frontendgeek
Last Updated Jun 15, 2026
Understand the JWT(JSON Web Token) and how JWT decode works. It also covers how the end-to-end JWT authentication works between client & server, along with the pros and cons of using JWT.
Understand JavaScript Local Storage, Session Storage and Cookies
Anuj Sharma
Last Updated Feb 6, 2026
Explore how to create and use javascript local storage, session storage and cookies. Explore the key differences between Local Storage vs Session Storage vs Cookies to understand the trade-offs.
Part 1: From Zero to Published — How I Built and Published My First React NPM Package
Akash Deep Chitransh
Last Updated Feb 6, 2026
Learn how to build and publish your own NPM package with Rollup, testing, and troubleshooting. Stay tuned for part 2: building a React state management library!
Understanding Critical Rendering Path (CRP) to Improve Web Performance
Anuj Sharma
Last Updated Feb 6, 2026
Understand what all steps are involved in the Critical Rendering Path (CRP) and how optimization of different steps can improve the overall web-vitals of a web application
What happens when you type google.com in the browser
Anuj Sharma
Last Updated Feb 5, 2026
Details about how the browser works behind the scenes and what happens when you type google.com in the browser, starting from communication to the webpage rendering.
Boost Your Site Speed with CSS Sprites: A Practical Guide
Vaibhav Kumar
Last Updated Jan 28, 2026
Master CSS sprites to slash HTTP requests, supercharge load times, and optimize icons—practical guide with code, tools, and 2026 best practices.
Explained Web Authorization Techniques - Session & JWT
Anuj Sharma
Last Updated Dec 16, 2025
Understand important web authorization techniques to enhance role-based authentication for any web application with popular techniques like Session & JSON Web Token (JWT)
