📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • Cross-origin resource sharing
  • CORS headers
  • Access-Control-Allow-Origin
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Access-Control-Allow-Credentials
  • Source attribution

Was this helpful?

  1. Introduction
  2. Basic browser security concepts

Cross-Origin Resource Sharing (CORS)

Cross-origin resource sharing

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin. In other words, CORS provides a means to relax the same origin policy. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.

As we've seen before, browsers restrict cross-origin HTTP requests initiated from scripts for security reasons. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from, unless the response from other origins includes the right CORS headers. CORS relaxes SOP.

CORS headers

Access-Control-Allow-Origin

Access-Control-Allow-Origin specifies either a single origin, which tells browsers to allow that origin to access the resource. A wildcard can be specified using *, but then allow-credentials will not work. Example:

Access-Control-Allow-Origin: http://foo.example

Access-Control-Allow-Methods

The Access-Control-Allow-Methods header specifies the method or methods allowed when accessing the resource. Example:

Access-Control-Allow-Methods: POST, GET

Access-Control-Allow-Headers

The Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Example:

Access-Control-Allow-Headers: Authorization, Content-Type

Access-Control-Expose-Headers

The Access-Control-Expose-Headers header lets a server whitelist headers that browsers are allowed to access. Example:

Access-Control-Expose-Headers: X-My-Custom-Header

Access-Control-Max-Age

The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples. Example:

Access-Control-Max-Age: 86400

Access-Control-Allow-Credentials

The Access-Control-Allow-Credentials header Indicates whether cookies or http authN information be sent along. Example:

Access-Control-Allow-Credentials: true

Source attribution

PreviousSame-Origin Policy (SOP)NextCookies

Last updated 2 years ago

Was this helpful?

Some parts of this page are based on by Mozilla Contributors, which is licensed under .

Cross-Origin Resource Sharing (CORS)
CC-BY-SA 2.5