Security Best Practices

Fixing Cross-Origin Resource Sharing

CORS enables the browser to manage cross-domain content by either allowing or denying it based on the configured security settings.

HTTP Request Headers#

When a domain is requesting to interact with a resource on another domain, request headers are added from the first domain in order to use the cross-origin resource sharing feature. These are the HTTP request headers that may be associated with the requesting domain.

  • Origin
  • Access-Control-Request-Method
  • Access-Control-Request-Headers

HTTP Response Headers#

The domain who’s resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are set.

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers

You can find more on setting CORS the correct way by visiting this website.

Was this helpful?