Cors Introduction For Beginners

In spy movies, security operatives have a coded way of transmitting information amongst themselves. Since they are mostly transmitting information that can be used against them if it falls in the hands of their enemies, they have to make sure that those who are receiving the information are trusted parties. The same applies to those who are sending the said information. When the sender and receiver are trusted, the credibility and security of the information can be guaranteed. A replica of this scenario happens in the communication between browsers and web servers, and it is called the same-origin policy. According to MDN:

What is CORS?

In a real-life case, when security operatives give a rule that communication should only happen amongst its operatives as a means of security, that’s similar to the same-origin policy. Yet, there might be cases where they will need to interact with the outside world. Or with operatives of other security outfits, for that to happen, they can implement another security measure to verify those operatives. This verification can come in different ways, depending on the operatives involved. In the case of communication on the Internet, CORS is the mechanism that makes it possible for browsers use to access resources that they originally will not be able to because the resource is of a different origin. I have talked about origin more than once, and you’re probably wondering what that means. An origin is defined by the protocol, domain, and port of the URL. When you have your API at an origin like https://api.geekflare.com:3001 and your frontend at https://geekflare.com, the origins are said to be different. In this situation, you’ll need CORS to be able to access resources on both ends. When requests are made to a server, the browsers (client) and servers send requests and response, HTTP headers are included. Amongst these headers, additional headers are included to prevent the browser from blocking the communication. Why will the browser block the communication? Its browser security features. It will do so if the request is coming from an origin different from that of the client. The additional headers included as a result of CORS is a way of telling the client that it can make use of the response that it received.

CORS Headers

One of the secure headers which can be either response or request header.

Response Headers

These are the headers that the server sends back in its response.

Access-Control-Allow-Origin: : This is used to specify the origin allowed to access the resource on the server. It’s possible to specify that only requests from a specific origin are allowed – Access-Control-Allow-Origin: https://geekflare.com, or that the origin does not matter – Access-Control-Allow-Origin: *. Access-Control-Expose-Headers: : As the name implies, this lists the headers the browser has access to. Access-Control-Max-Age: : This indicates the duration for which the response of a preflight request can be cached. Access-Control-Allow-Credentials: : This indicates that the browser can make use of the response when the initial request was made with a credential. Access-Control-Allow-Methods: : This indicates the method(s) that allowed when attempting to access a resource. Access-Control-Allow-Headers: : This indicates the HTTP headers can be used in a request.

Here is an example of what the response will look like

Request Headers

Here are the headers that a client’s request should contain in order to make use of the CORS mechanism.

Origin: : This indicates the origin of the client’s request. When working with a frontend and backend, as stated before, this will be the host of your frontend application. Access-Control-Request-Method: : This is used in a preflight request to indicate the HTTP method that will be used to make the request. Access-Control-Request-Headers: