CORS Policy Configuration

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which external domains are allowed to make requests to your web application's API. By default, browsers enforce a Same-Origin Policy that prevents JavaScript on one domain from making requests to a different domain. CORS relaxes this restriction in a controlled way by using HTTP headers to tell the browser exactly which origins, methods, and headers are permitted. When your frontend at app.example.com needs to call your API at api.example.com, the browser first sends a "preflight" OPTIONS request to check if the API allows cross-origin access. Your server responds with headers like Access-Control-Allow-Origin specifying the approved domains. A properly configured CORS policy is specific, listing only the exact origins that need access rather than using a wildcard that allows any domain to call your API.

Why It Matters

CORS misconfiguration is one of the most common security mistakes in modern web applications, and the consequences range from data theft to full account takeover. If your API returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true, any malicious website a user visits can make authenticated requests to your API using that user's session, reading their data, changing their settings, or performing actions on their behalf. Proper CORS configuration ensures that only your legitimate frontend domains can interact with your API, while all other origins are rejected at the browser level. This is especially critical for applications with separate frontend and backend deployments, which is the norm in modern architecture.

What Happens Without It

In 2019, security researchers discovered that a major Bitcoin exchange had a CORS misconfiguration that allowed any website to make authenticated API calls on behalf of logged-in users. An attacker could have created a malicious webpage that, when visited by an exchange user, would silently transfer their cryptocurrency to the attacker's wallet. The vulnerability was reported through a bug bounty program before it was exploited, but similar CORS flaws have been found in banks, healthcare portals, and enterprise SaaS platforms. In one documented case, a travel company's misconfigured CORS policy allowed researchers to extract customer passport numbers, flight details, and payment information from any user who visited a crafted webpage while logged in.