← Lessons

quiz vs the machine

Gold1410

System Design

The CORS and Security Headers

Control cross origin access and harden responses with security headers.

5 min read · core · beat Gold to climb

What CORS controls

Cross origin resource sharing lets a server declare which other origins may read its responses from a browser. The browser enforces it.

  • A preflight OPTIONS request asks the server if a cross origin call is allowed.
  • The server replies with allowed origins, methods, and headers.
  • Without matching headers the browser blocks the response from the page.

The preflight handshake

For non simple requests the browser checks permission before sending the real call.

Useful security headers

  • Strict Transport Security forces HTTPS for future visits.
  • X Content Type Options stops MIME sniffing.
  • X Frame Options or frame ancestors blocks clickjacking via framing.
  • Referrer Policy limits how much referrer data leaks.

Practical notes

  • List explicit allowed origins instead of a wildcard when credentials are involved.
  • Set headers at the proxy so all responses are consistent.
  • Test that preflight responses include every header your client sends.

Key idea

CORS governs which origins a browser may read, and security headers harden every response, so set both centrally and avoid blanket wildcards with credentials.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the purpose of a CORS preflight request?

2. Why avoid a wildcard allowed origin when credentials are sent?