What is CORS (Cross-Origin Resource Sharing)?

Turkish: CORS

CORS uses HTTP headers to tell browsers which origins may safely read responses from an API hosted on another origin.

What is CORS?

CORS (Cross-Origin Resource Sharing) is an HTTP header mechanism that decides whether browser JavaScript may read responses across origins. An origin is the combination of scheme, host, and port. https://app.example.com and https://api.example.com are different origins.

How Does It Work?

The browser detects that a frontend application wants to access an API on another origin. The server responds with headers such as Access-Control-Allow-Origin to say which origins are allowed. For non-simple requests, the browser first sends an OPTIONS preflight request to check the method, headers, and credential policy.

Common Misunderstanding

CORS is not server-side authorization. It controls whether the browser exposes the response to JavaScript; it does not block curl, Postman, or server-to-server requests. API security still needs authentication, authorization, rate limiting, and input validation.

Common Headers

  • Access-Control-Allow-Origin: The allowed origin
  • Access-Control-Allow-Methods: Allowed HTTP methods
  • Access-Control-Allow-Headers: Custom request headers
  • Access-Control-Allow-Credentials: Whether cookies or authorization data may be sent

Business Use

Browser-based frontends that call a REST API on a separate domain need CORS configuration; native mobile apps generally are not subject to browser CORS restrictions. In production, broad * access should be replaced with a known origin list, explicit credential policy, and environment-specific configuration.