Cross-origin Resource Sharing (CORS)

Last updated: February 8, 2026Reviewed date: February 8, 2026Reading time: 6 min read
Patient Tools

Read, save, and share this guide

Use these quick tools to make this medical article easier to read, print, save, or share with a family member.

Article Summary

Cross-origin resource sharing (CORS) is a mechanism for integrating applications. CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. This is useful because complex applications often reference third-party APIs and resources in their client-side code. For example, your application may use your browser to pull videos from a video platform API, use...

Key Takeaways

  • This article explains Why is cross-origin resource sharing important? in simple medical language.
  • This article explains How does cross-origin resource sharing work? in simple medical language.
  • This article explains What is a CORS preflight request? in simple medical language.
  • This article explains What is the difference between CORS and JSONP? in simple medical language.
Educational health guideWritten for patient understanding and clinical awareness.
Reviewed content workflowUse writer and reviewer profiles for stronger trust.
Emergency safety firstUrgent warning signs are highlighted below.

Seek urgent medical care if you notice

These warning signs are general safety guidance. Local emergency numbers and clinical judgment should always come first.

  • Severe symptoms, breathing difficulty, fainting, confusion, or rapidly worsening illness.
  • New weakness, severe pain, high fever, or symptoms after a serious injury.
  • Any symptom that feels urgent, unusual, or unsafe for the patient.
1

Emergency now

Use emergency care for severe, sudden, rapidly worsening, or life-threatening symptoms.

2

See a doctor

Book a professional medical evaluation if symptoms persist, worsen, recur often, affect daily activities, or occur in a high-risk patient.

3

Learn safely

Use this article to understand possible causes, tests, treatment options, prevention, and questions to ask your clinician.

Cross-origin resource sharing (CORS) is a mechanism for integrating applications. CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. This is useful because complex applications often reference third-party APIs and resources in their client-side code. For example, your application may use your browser to pull videos from a video platform API, use fonts from a public font library, or display weather data from a national weather database. CORS allows the client browser to check with the third-party servers if the request is authorized before any data transfers.

Why is cross-origin resource sharing important?

In the past, when internet technologies were still new, cross-site request forgery (CSRF) issues happened. These issues sent fake client requests from the victim’s browser to another application.

For example, the victim logged into their bank’s application. Then they were tricked into loading an external website on a new browser tab. The external website then used the victim’s cookie credentials and relayed data to the bank application while pretending to be the victim. Unauthorized users then had unintended access to the bank application.

To prevent such CSRF issues, all browsers now implement the same-origin policy.

Same-origin policy

Today, browsers enforce that clients can only send requests to a resource with the same origin as the client’s URL. The protocol, port, and hostname of the client’s URL should all match the server it requests.

For example, consider the origin comparison for the below URLs with the client URL http://store.aws.com/dir/page.html.

URLOutcomeReason
http://store.aws.com/dir2/new.htmlSame originOnly the path differs
http://store.aws.com/dir/inner/other.html        Same originOnly the path differs
https://store.aws.com/page.htmlDifferent originDifferent protocol
http://store.aws.com:81/dir/page.htmlDifferent originDifferent port (http:// is port 80 by default)
http://news.aws.com/dir/page.htmlDifferent originDifferent host

So, the same-origin policy is highly secure but inflexible for genuine use cases.

Cross-origin resource sharing (CORS) is an extension of the same-origin policy. You need it for authorized resource sharing with external third parties. For example, you need CORS when you want to pull data from external APIs that are public or authorized. You also need CORS if you want to allow authorized third-party access to your own server resources.

How does cross-origin resource sharing work?

In standard internet communication, your browser sends an HTTP request to the application server, receives data as an HTTP response, and displays it. In browser terminology, the current browser URL is called the current origin and the third-party URL is cross-origin.

When you make a cross-origin request, this is the request-response process:

  1. The browser adds an origin header to the request with information about the current origin’s protocol, host, and port
  2. The server checks the current origin header and responds with the requested data and an Access-Control-Allow-Origin header
  3. The browser sees the access control request headers and shares the returned data with the client application

Alternatively, if the server doesn’t want to allow cross-origin access, it responds with an error message.

Cross-origin resource sharing example

For example, consider a site called https://news.example.com. This site wants to access resources from an API at partner-api.com.

Developers at https://partner-api.com first configure the cross-origin resource sharing (CORS) headers on their server by adding new.example.com to the allowed origins list. They do this by adding the below line to their server configuration file.

Access-Control-Allow-Origin: https://news.example.com

Once CORS access is configured, news.example.com can request resources from partner-api.com. For every request, partner-api.com will respond with Access-Control-Allow-Credentials : “true.” The browser then knows the communication is authorized and permits cross-origin access.

If you want grant access to multiple origins, use a comma-separated list or wildcard characters like * that grant access to everyone.

What is a CORS preflight request?

In HTTP, request methods are the data operations the client wants the server to perform. Common HTTP methods include GETPOSTPUT, and DELETE.

In a regular cross-origin resource sharing (CORS) interaction, the browser sends the request and access control headers at the same time. These are usually GET data requests and are considered low-risk.

However, some HTTP requests are considered complex and require server confirmation before the actual request is sent. The preapproval process is called preflight request.

Complex cross-origin requests

Cross-origin requests are complex if they use any of the following:

  • Methods other than GETPOST, or HEAD
  • Headers other than Accept-Language, Accept, or Content-Language
  • Content-Type headers other than multipart/form-dataapplication/x-www-form-urlencoded, or text/plain

So, for example, requests to delete or modify existing data are considered complex.

How preflight requests work

Browsers create preflight requests if they are needed. It’s an OPTIONS request like the following one.

OPTIONS /data HTTP/1.1

Origin: https://example.com

Access-Control-Request-Method: DELETE

The browser sends the preflight request before the actual request message. The server must respond to the preflight request with information about the cross-origin requests the server’s willing to accept from the client URL. The server response headers must include the following:

  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Allow-Origin

An example server response is given below.

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Content-Type

Access-Control-Allow-Origin: https://news.example.com

Access-Control-Allow-Methods: GETDELETEHEADOPTIONS

The preflight response sometimes includes an additional Access-Control-Max-Age header. This metric specifies the duration (in seconds) for the browser to cache preflight results in the browser. Caching allows the browser to send several complex requests between preflight requests. It doesn’t have to send another preflight request until the time specified by max-age elapses.

What is the difference between CORS and JSONP?

JSON with Padding (JSONP) is a historical technique that allows communication between web applications running on different domains.

With JSONP, you use HTML script tags in the client page. The script tag loads external JavaScript files or embeds JavaScript code directly within an HTML page. Because scripts aren’t subject to the same-origin policy, you can retrieve cross-origin data through the JavaScript code.

However, the data must be in JSON format. Also, JSONP is less secure than cross-origin resource sharing (CORS) because it relies on the trustworthiness of the external domain to provide safe data.

Modern browsers have added some security features, so older code containing JSONP will no longer work on them. CORS is the current global web standard for cross-origin access control.

What are some CORS best practices?

You should note the following when you configure cross-origin resource sharing (CORS) on your server.

Define appropriate access lists

It is always best to grant access to individual domains using comma-separated lists. Avoid using wildcards unless you want to make the API public. Otherwise, using wildcards and regular expressions may create vulnerabilities.

For example, let’s say you write a regular expression that grants access to all sites with the suffix permitted-website.com. With one expression, you grant access to api.permitted-website.com and news.permitted-website.com. But you also inadvertently grant access to unauthorized sites that may use domains like maliciouspermitted-website.com.

Avoid using null origin in your list

Some browsers send the value null in the request header for certain scenarios like file requests or requests from the local host.

However, you shouldn’t include the null value in your access list. It also introduces security risks as unauthorized requests containing null headers may get access.

Patient safety assistant

Check your symptom safely

Hi, I am RX Symptom Navigator. I can help you understand what to read next and what warning signs need care.
Warning: Do not use this in emergencies, pregnancy, severe illness, or as a substitute for a doctor. For children or teens, use with a parent/guardian and clinician.
A rural-friendly guide: warning signs, when to see a doctor, related articles, tests to discuss, and OTC safety education.
1 Symptom 2 Severity 3 Safe guidance
First safety question

Is there chest pain, breathing trouble, fainting, confusion, severe bleeding, stroke-like weakness, severe injury, or pregnancy danger sign?

Choose quickly

Browse by body area
Start here: Write or select a symptom. The guide will show warning signs, doctor guidance, diagnostic tests to discuss, OTC safety education, and related RX articles.

Important: This tool is educational only. It cannot diagnose, treat, or replace a doctor. OTC information is not a prescription. In an emergency, contact local emergency services or go to the nearest hospital.

Doctor visit helper

Prepare before seeing a doctor

A simple rural-patient checklist to help you explain symptoms clearly, ask better questions, and avoid unsafe self-treatment.

Safety note: This is not a prescription or diagnosis. For severe symptoms, pregnancy danger signs, children with serious illness, chest pain, breathing difficulty, stroke-like weakness, or major injury, seek urgent care.

Which doctor may help?

Start with a registered doctor or the nearest qualified health center.

What to tell the doctor

  • Write when the problem started and how it changed.
  • Bring old prescriptions, investigation reports, and current medicines.
  • Write allergies, pregnancy status, diabetes, kidney/liver disease, and major past illnesses.
  • Bring one family member if the patient is weak, elderly, confused, or a child.

Questions to ask

  • What is the most likely cause of my symptoms?
  • Which danger signs mean I should go to hospital quickly?
  • Which tests are necessary now, and which can wait?
  • How should I take medicines safely and what side effects should I watch for?
  • When should I come for follow-up?

Tests to discuss

  • Vital signs: temperature, pulse, blood pressure, oxygen saturation
  • Basic physical examination by a clinician
  • CBC, urine test, blood sugar, or imaging only when clinically needed

Avoid these mistakes

  • Do not use antibiotics, steroid tablets/injections, or strong painkillers without proper medical advice.
  • Do not hide pregnancy, kidney disease, ulcer, allergy, or blood thinner use.
  • Do not delay emergency care when danger signs are present.

Medicine safety and first-aid guide

This section is for patient education only. It does not replace a doctor, pharmacist, or emergency care.

Safe first steps

  • Rest, drink safe water, and observe symptoms carefully.
  • Keep a written note of symptoms, duration, temperature, medicines already taken, and allergy history.
  • Seek medical care quickly if symptoms are severe, worsening, or unusual for the patient.

OTC medicine safety

  • For mild pain or fever, ask a registered pharmacist or doctor before using common over-the-counter pain/fever medicines.
  • Do not combine multiple pain medicines without advice, especially if you have kidney disease, liver disease, stomach ulcer, asthma, pregnancy, or take blood thinners.
  • Do not give adult medicines to children unless a qualified clinician advises it.

Avoid these mistakes

  • Do not start antibiotics without a proper medical decision.
  • Do not use steroid tablets or injections casually for quick relief.
  • Do not delay emergency care because of home remedies.

Get urgent help if

  • Severe symptoms, confusion, fainting, breathing difficulty, chest pain, severe dehydration, or sudden weakness need urgent medical care.
Medicine names, dose, and timing must be decided by a qualified clinician or pharmacist after checking age, pregnancy, allergy, other diseases, and current medicines.

For rural patients and family caregivers

Patient health record and symptom diary

Write your symptoms, medicines already taken, test results, and questions before visiting a doctor. This note stays on your device unless you print or copy it.

Doctor to discuss: Doctor / qualified healthcare provider
Tests to discuss with doctor
  • Basic vital signs: temperature, pulse, blood pressure, oxygen level if needed
  • Relevant blood, urine, imaging, or specialist tests only after clinical assessment
Questions to ask
  • What is the most likely cause of my symptoms?
  • Which warning signs mean I should go to emergency care?
  • Which tests are really needed now?
  • Which medicines are safe for my age, pregnancy status, allergy, kidney/liver/stomach condition, and current medicines?

Emergency warning signs such as chest pain, severe breathing difficulty, sudden weakness, confusion, severe dehydration, major injury, or loss of bladder/bowel control need urgent medical care. Do not wait for online information.

Safe pathway to proper treatment

Patient care roadmap

Use this simple roadmap to understand the next safe steps. It is educational and does not replace examination by a doctor.

Go to emergency care if you notice:
  • Severe or rapidly worsening symptoms
  • Breathing difficulty, chest pain, fainting, confusion, severe weakness, major injury, or severe dehydration
Doctor / service to discuss: Qualified healthcare provider; specialist depends on symptoms and examination.
  1. Step 1

    Check danger signs first

    If danger signs are present, seek emergency care and do not wait for online information.

  2. Step 2

    Record the symptom story

    Write when symptoms started, severity, medicines already taken, allergies, pregnancy status, and test results.

  3. Step 3

    Visit a qualified clinician

    A doctor, nurse, or qualified healthcare provider can examine you and decide which tests or treatment are needed.

  4. Step 4

    Do only useful tests

    Do tests after clinical assessment. Avoid unnecessary tests, random antibiotics, or repeated medicines without diagnosis.

  5. Step 5

    Follow up and return early if worse

    If symptoms worsen, new warning signs appear, or treatment is not helping, return for review quickly.

Rural patient practical tips
  • Take a written symptom diary and all previous prescriptions/test reports.
  • Do not hide medicines already taken, even herbal or over-the-counter medicines.
  • Ask which warning signs mean urgent referral to hospital.

This roadmap is for education. A real diagnosis and treatment plan requires history, examination, and clinical judgment.

RX Patient Help

Ask a health question safely

Write your symptom story. A health professional or site editor can review it before any answer is prepared. This box is not for emergency care.

Emergency first: Severe chest pain, breathing trouble, unconsciousness, stroke signs, severe injury, heavy bleeding, or rapidly worsening symptoms need urgent local medical care now.

Frequently Asked Questions

Why is cross-origin resource sharing important?

In the past, when internet technologies were still new, cross-site request forgery (CSRF) issues happened. These issues sent fake client requests from the victim's browser to another application. For example, the victim logged into their bank's application. Then they were tricked into loading an external website on a new browser tab. The external website then used the victim's cookie credentials and relayed data to the bank application while pretending to be the victim. Unauthorized users then had unintended access to…

Same-origin policy Today, browsers enforce that clients can only send requests to a resource with the same origin as the client's URL. The protocol, port, and hostname of the client's URL should all match the server it requests.For example, consider the origin comparison for the below URLs with the client URL http://store.aws.com/dir/page.html.URL Outcome Reasonhttp://store.aws.com/dir2/new.html Same origin Only the path differshttp://store.aws.com/dir/inner/other.html         Same origin Only the path differshttps://store.aws.com/page.html Different origin Different protocolhttp://store.aws.com:81/dir/page.html Different origin Different port (http:// is port 80 by default)http://news.aws.com/dir/page.html Different origin Different hostSo, the same-origin policy is highly secure but inflexible for genuine use cases.Cross-origin resource sharing (CORS) is an extension of the same-origin policy. You need it for authorized resource sharing with external third parties. For example, you need CORS when you want to pull data from external APIs that are public or authorized. You also need CORS if you want to allow authorized third-party access to your own server resources.How does cross-origin resource sharing work?

In standard internet communication, your browser sends an HTTP request to the application server, receives data as an HTTP response, and displays it. In browser terminology, the current browser URL is called the current origin and the third-party URL is cross-origin. When you make a cross-origin request, this is the request-response process: The browser adds an origin header to the request with information about the current origin's protocol, host, and port The server checks the current origin header and responds with the requested…

Cross-origin resource sharing example For example, consider a site called https://news.example.com. This site wants to access resources from an API at partner-api.com.Developers at https://partner-api.com first configure the cross-origin resource sharing (CORS) headers on their server by adding new.example.com to the allowed origins list. They do this by adding the below line to their server configuration file.Access-Control-Allow-Origin: https://news.example.comOnce CORS access is configured, news.example.com can request resources from partner-api.com. For every request, partner-api.com will respond with Access-Control-Allow-Credentials : "true." The browser then knows the communication is authorized and permits cross-origin access.If you want grant access to multiple origins, use a comma-separated list or wildcard characters like * that grant access to everyone.What is a CORS preflight request?

In HTTP, request methods are the data operations the client wants the server to perform. Common HTTP methods include GET, POST, PUT, and DELETE. In a regular cross-origin resource sharing (CORS) interaction, the browser sends the request and access control headers at the same time. These are usually GET data requests and are considered low-risk. However, some HTTP requests are considered complex and require server confirmation before the actual request is sent. The preapproval process is called preflight request.

Complex cross-origin requests Cross-origin requests are complex if they use any of the following:Methods other than GET, POST, or HEAD Headers other than Accept-Language, Accept, or Content-Language Content-Type headers other than multipart/form-data, application/x-www-form-urlencoded, or text/plainSo, for example, requests to delete or modify existing data are considered complex. How preflight requests work Browsers create preflight requests if they are needed. It's an OPTIONS request like the following one.OPTIONS /data HTTP/1.1Origin: https://example.comAccess-Control-Request-Method: DELETEThe browser sends the preflight request before the actual request message. The server must respond to the preflight request with information about the cross-origin requests the server’s willing to accept from the client URL. The server response headers must include the following:Access-Control-Allow-Methods Access-Control-Allow-Headers Access-Control-Allow-OriginAn example server response is given below.HTTP/1.1 200 OKAccess-Control-Allow-Headers: Content-TypeAccess-Control-Allow-Origin: https://news.example.comAccess-Control-Allow-Methods: GET, DELETE, HEAD, OPTIONSThe preflight response sometimes includes an additional Access-Control-Max-Age header. This metric specifies the duration (in seconds) for the browser to cache preflight results in the browser. Caching allows the browser to send several complex requests between preflight requests. It doesn’t have to send another preflight request until the time specified by max-age elapses.What is the difference between CORS and JSONP?

JSON with Padding (JSONP) is a historical technique that allows communication between web applications running on different domains. With JSONP, you use HTML script tags in the client page. The script tag loads external JavaScript files or embeds JavaScript code directly within an HTML page. Because scripts aren’t subject to the same-origin policy, you can retrieve cross-origin data through the JavaScript code. However, the data must be in JSON format. Also, JSONP is less secure than cross-origin resource sharing (CORS)…

What are some CORS best practices?

You should note the following when you configure cross-origin resource sharing (CORS) on your server.

References

Add references, clinical guidelines, textbooks, journal articles, or trusted medical sources here. You can edit this area from the RX Article Professional Blocks panel.

More from this topic
  1. How To Speed Up a WordPress (WP) Web Site

    To speed up a WordPress (WP) site, you need a combination of a solid foundation (hosting, theme) and optimization techniques (caching, image compression, code minification). These improvements...

    November 4, 2025 PHP, JS, CSS, Python, and Machine Learning Technology
  2. JavaScript Frameworks and Libraries List

    JavaScript frameworks and libraries are collections of pre-written JavaScript code designed to streamline and enhance web development. While both provide reusable code, their primary distinction lies in...

    October 26, 2025 PHP, JS, CSS, Python, and Machine Learning Technology
  3. Types of Linux

    Linux is most widely used by advanced users who always want to have more control over their system. In this user are allowed to easily install...

    November 7, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  4. User Agents for Web Scraping

    When scraping large amounts of information, the main problem is the risk of blocking and how to avoid it. We have already discussed that you can...

    September 28, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  5. Solid-State Drive (SSD)

    Solid-State Drive (SSD) is a solid-state storage device that uses integrated circuit assemblies to store data persistently, typically using flash memory. SSDs store data in semiconductor cells....

    July 5, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  6. HEADer.php Metadata

    To turn your web pages into graph objects, you need to add basic metadata to your page. We’ve based the initial version of the protocol on RDFa which...

    June 28, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  7. Largest Contentful Paint

    Developers today don’t have a reliable metric that correlates with their user’s visual rendering experience. Existing metrics such as First Paint and First Contentful Paint focus...

    June 11, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  8. Computer Short Code

    বর্তমান দিনে কম্পিউটার ছাড়া আমাদের এক পা এগোনো খুব কঠিন হয়ে উঠেছে।আপনি কয়েক সেকেন্ডের মধ্যে কিভাবে কম্পিউটার শিখতে ও চালাতে পারবেন সেই জন্য এই পোস্ট  Ctrl...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  9. What is Largest Contentful Paint

    Developers today don’t have a reliable metric that correlates with their user’s visual rendering experience. Existing metrics such as First Paint and First Contentful Paint focus...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  10. What is HTML5?

    HTML is the core foundational standard being worked on by the WHATWG community. It is continuously maintained and supersedes HTML4, XHTML1, DOM Level 2 HTML, and all...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology