Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) is a browser security mechanism that uses HTTP headers to define which external origins are permitted to access resources on a web server. Misconfigured CORS policies can allow unauthorised cross-origin access to sensitive data.
CORS is an extension of the Same-Origin Policy that allows servers to explicitly grant permission for cross-origin requests. Modern browsers enforce the Same-Origin Policy, which restricts web pages from making requests to a different domain than the one that served the page. CORS provides a controlled way to relax this restriction through a set of HTTP response headers.
When a browser makes a cross-origin request, it may first send a preflight OPTIONS request to determine whether the server permits the actual request. The server responds with CORS headers such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers. The browser then decides whether to allow the actual request based on these headers.
CORS misconfigurations are a significant security concern. Common mistakes include setting Access-Control-Allow-Origin to a wildcard (*) while also allowing credentials, dynamically reflecting the Origin header without validation, or trusting overly broad origin patterns. These misconfigurations can allow attackers to steal sensitive data from authenticated sessions across origins.
Secure CORS configuration requires maintaining a strict allowlist of trusted origins, never reflecting arbitrary origins, avoiding the use of wildcards when credentials are involved, restricting allowed methods and headers to only what is necessary, and regularly auditing CORS policies as application requirements change.