Does CORS protect my API from direct attacks?

No. CORS is a browser rule. Anyone using curl or a script bypasses CORS entirely. For real API security, require authentication and rate limiting.

Why does my request get blocked even though CORS headers are set?

Preflight requests (OPTIONS) need their own CORS headers, separate from the actual request. If the preflight fails, the real request never happens.

CORS

What is CORS?

Cross-Origin Resource Sharing

Cross-Origin Resource Sharing (CORS) is the browser mechanism that decides whether JavaScript running on `site-a.com` can make requests to `site-b.com`. By default, browsers block these cross-origin requests. CORS headers on `site-b.com`'s responses can explicitly allow specific origins, specific methods, and specific headers.

In more detail

CORS is enforced by the browser, not the server. When a page on `evil.com` tries to fetch from `your-api.com`, the browser first checks the response for an `Access-Control-Allow-Origin` header. If it is missing or does not include `evil.com`, the browser discards the response — even though the server already processed the request.

The common bug is setting `Access-Control-Allow-Origin: *` on endpoints that handle authentication. Browsers block `*` + credentials combinations, but misconfigurations can still leak data.

Narrow CORS allowlist with credentials

Access-Control-Allow-Origin: https://app.example.com
Vary: Origin
Access-Control-Allow-Credentials: true

Why this matters

Why builders care

AI-generated backend code tends to ship with wide-open CORS (`*`) as a debugging convenience that never gets tightened. For public data APIs, that is fine. For authenticated endpoints, it is a CSRF-equivalent waiting to be exploited.

FAQ

Frequently asked questions

Does CORS protect my API from direct attacks?: No. CORS is a browser rule. Anyone using curl or a script bypasses CORS entirely. For real API security, require authentication and rate limiting.
Why does my request get blocked even though CORS headers are set?: Preflight requests (OPTIONS) need their own CORS headers, separate from the actual request. If the preflight fails, the real request never happens.

Fix guides

Fix CORS issues

CORS allows all origins

An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.

CORS credentials misconfiguration

Setting both Allow-Origin: * and Allow-Credentials: true is a dangerous misconfiguration. Here is why browsers block it and how to fix it correctly.

Free tools

Check it yourself

CORS checker

Is your API open to any website? Find out now.

Related terms

Keep learning

Cross-Site Request Forgery

CSRF tricks a logged-in user into performing actions on your site without realizing. SameSite cookies are the modern defense.

SameSite Cookie Attribute

SameSite controls whether the browser sends your cookie on cross-site requests. The main defense against CSRF.

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.