What is CORS (Cross-Origin Resource Sharing)?
Turkish: CORS
CORS uses HTTP headers to tell browsers which origins may safely read responses from an API hosted on another origin.
What is CORS?
CORS (Cross-Origin Resource Sharing) is an HTTP header mechanism that decides whether browser JavaScript may read responses across origins. An origin is the combination of scheme, host, and port. https://app.example.com and https://api.example.com are different origins.
How Does It Work?
The browser detects that a frontend application wants to access an API on another origin. The server responds with headers such as Access-Control-Allow-Origin to say which origins are allowed. For non-simple requests, the browser first sends an OPTIONS preflight request to check the method, headers, and credential policy.
Common Misunderstanding
CORS is not server-side authorization. It controls whether the browser exposes the response to JavaScript; it does not block curl, Postman, or server-to-server requests. API security still needs authentication, authorization, rate limiting, and input validation.
Common Headers
Access-Control-Allow-Origin: The allowed originAccess-Control-Allow-Methods: Allowed HTTP methodsAccess-Control-Allow-Headers: Custom request headersAccess-Control-Allow-Credentials: Whether cookies or authorization data may be sent
Business Use
Browser-based frontends that call a REST API on a separate domain need CORS configuration; native mobile apps generally are not subject to browser CORS restrictions. In production, broad * access should be replaced with a known origin list, explicit credential policy, and environment-specific configuration.
Related Terms
An API is a contract that lets software systems request approved data or actions from one another through documented endpoints.
REST APIA REST API designs web services around resources and HTTP methods, making integrations predictable across web and mobile systems.