<strong>CORS (Cross-Origin Resource Sharing)</strong> is a security feature that controls which websites can access your API. Browsers block requests from different domains by default; CORS headers tell the browser which cross-origin requests to allow.
The Gated Community Analogy
Your API is like a gated community. By default, the gate (CORS) blocks all visitors from other neighborhoods (domains). You configure CORS to allow specific visitors or everyone.
Your API (Community)
Protected resource
CORS (Gate)
Controls access
Other Websites (Visitors)
Want to enter
Makes Request
Checks CORS
Allows or Blocks
Browser makes request
example.com tries to call api.other.com
Browser checks origin
Sees request is cross-origin (different domain)
Preflight request (OPTIONS)
Browser asks: 'Is this allowed?'
Server responds with CORS headers
Access-Control-Allow-Origin: example.com
Browser allows or blocks
If origin is allowed, request proceeds
Wrong
"CORS is an API security feature"
Correct
CORS is a <strong>browser security feature</strong>. It only affects browser requests. Tools like Postman or curl bypass CORS because they're not browsers.
Frontend calling backend API:
Frontend: https://myapp.com
API: https://api.myapp.com (different subdomain = cross-origin)
Without CORS: Browser blocks the request
With CORS header: Access-Control-Allow-Origin: https://myapp.com → Allowed