Open in app

Sign in

Write

Sign in

Understanding CORS

Soulaimaneyh
4 min readNov 4, 2023

--

1. CORS 2. Cross-Origin Resource Sharing 3. Same-Origin Policy 4. Web Security 5. HTTP Headers 6. Access-Control-Allow-Origin 7. Access-Control-Allow-Methods 8. Access-Control-Allow-Headers 9. Preflight Request 10. Origin Header 11. Cross-Origin Requests 12. Cross-Origin Requests with Credentials 13. Cross-Origin Cookies 14. Cross-Origin Authentication 15. Same-Origin vs. Cross-Origin 16. Web Development 17. Web APIs 18. Web Browsers 19. XMLHttpRequest 20. Fetch API 21. JavaScript 22. Server-Sid
Understanding CORS

CORS, or Cross-Origin Resource Sharing, is a security feature implemented by web browsers to control web page access to resources on a different domain. It is a critical security mechanism that helps prevent certain types of malicious attacks, such as Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), while still allowing for legitimate cross-origin requests.

Here’s a more detailed explanation of CORS

Same-Origin Policy

Web browsers enforce a security policy known as the Same-Origin Policy. This policy prevents web pages from making requests to a different domain (i.e., a different origin) than the one that served the web page. This restriction helps to protect users from potential security vulnerabilities.

Cross-Origin Requests

Sometimes, you may have a legitimate reason to make requests to a different domain, such as when your web application needs to fetch data from an API hosted on another server. This is where CORS comes into play.

CORS Headers

When a web page makes a cross-origin request, the server receiving the request can respond with specific HTTP headers to grant or deny permission to access the requested resource. These headers include:

`Access-Control-Allow-Origin`: Specifies which origins are allowed to access the resource. For example, the server can set this header to a specific domain or use a wildcard “*” to allow any domain.

location / {
    add_header 'Access-Control-Allow-Origin' 'multividas.com';
}

To allow any domain, you can use a wildcard:

location / {
    add_header 'Access-Control-Allow-Origin' '*';
}

`Access-Control-Allow-Methods`: Specifies which HTTP methods (e.g., GET, POST, PUT, DELETE) are allowed when accessing the resource.

location / {
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE';
}

`Access-Control-Allow-Headers`: Lists the HTTP headers that are allowed in the actual request.

location / {
    add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization';
}

`Access-Control-Allow-Credentials`: Indicates whether credentials, such as cookies or HTTP authentication, can be included in the request.

If you want to allow credentials like cookies or HTTP authentication, you need to set the Access-Control-Allow-Credentials header to "true." Note that you also need to include the Access-Control-Allow-Origin header with a specific origin and not a wildcard '*' if you want to allow credentials:

location / {
    add_header 'Access-Control-Allow-Origin' 'multividas.com';
    add_header 'Access-Control-Allow-Credentials' 'true';
}

`Access-Control-Expose-Headers`: The Access-Control-Expose-Headers header specifies which response headers the browser can expose to the requesting client, allowing JavaScript code in a web page to access those headers when making cross-origin requests. Here's an example of how you can configure the Access-Control-Expose-Headers header in an Nginx configuration:

location / {
    add_header 'Access-Control-Expose-Headers' 'X-Api-Responser-Header';
}

`Access-Control-Max-Age`: Specifies how long the results of a preflight request (a pre-check before the actual request) can be cached.

location / {
    add_header 'Access-Control-Max-Age' '3600';
}

Preflight Request

In some cases, a preflight request is sent before the actual request. The preflight request is an HTTP OPTIONS request that the browser sends to the server to check which methods, headers, and origins are allowed. The server responds with appropriate CORS headers, and if everything is allowed, the browser proceeds with the actual request.

Browser Enforcement

The browser plays a crucial role in enforcing CORS. If the server’s CORS headers do not permit the request, the browser will block the response from being accessed by the requesting web page through JavaScript. This helps ensure that sensitive data is not exposed to unauthorized origins.

Access-Control-Allow-Methods Header

The “Access-Control-Allow-Methods” header is used by the server to specify which HTTP methods are allowed when making cross-origin requests to a particular resource. It lists the HTTP methods that the server permits for the resource. These methods can include standard methods like GET, POST, PUT, DELETE, etc.

For example, if a server includes the following header in its response

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

It means that the server allows cross-origin requests from web pages served by other domains to use these HTTP methods when interacting with the specified resource.

Access-Control-Allow-Credentials Header

The “Access-Control-Allow-Credentials” header controls whether the browser should include credentials, such as cookies, in cross-origin requests. It is a boolean header that can have one of two values: true or false.

  • If “Access-Control-Allow-Credentials” is set to true, it indicates that the server allows credentials (like cookies or HTTP authentication) to be included in the request. This is typically used when the server and the web page belong to the same organization or domain.
  • If “Access-Control-Allow-Credentials” is set to false, it means that credentials should not be included in the request. This is the default behavior and is used when dealing with public resources that don't require authentication.

For example, the server might include this header in the response:

Access-Control-Allow-Credentials: true

In this case, it tells the browser that it can include credentials when making cross-origin requests to the server.

It’s important to note that when “Access-Control-Allow-Credentials” is set to true, the client-side JavaScript code must also set the "withCredentials" property to true in the XMLHttpRequest or Fetch API request to indicate that it wants to include credentials in the request. Additionally, the server must have proper configuration to accept and handle credentials in cross-origin requests.

In summary,

CORS is a security feature that allows web servers to control which origins are permitted to access their resources, while browsers enforce these rules. It strikes a balance between security and the need for legitimate cross-origin communication, enabling the safe integration of web services and APIs into web applications. Properly configuring CORS on your server is essential to ensure your web application works as intended while maintaining security.

Cors
Cross Origin Resource
Cross Origin
Cord Nginx
Nginx Configuration

--

--

Soulaimaneyh

Written by Soulaimaneyh

161 Followers

Talking about #backend-engineering

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams