Allowed Origin
Access-Control-Allow-Origin
Access-Control-Allow-Origin header is part of a response from a server that determines which origins the browser can access after receiving resources from the server.
- If the
browser's webpage attempts to make a HTTP request to a differentoriginand theoriginis not listed in the allowed origin list, the browser blocks the request to anotherorigin.
Access-Control-Allow-Origin: https://developer.mozilla.org
- Above would allow requests from the origin
https://developer.mozilla.orgto access a resource.
The set "allowed origin" list is checked on every subsequent requests beyond the initial request.
# app running on https://app.com # makes request to https://api.com # api.com server responds with Access-Control-Allow-Origin: https://app.com # browser checks the header, matches the origin of the request https://app.com # browser proceeds with the request
Preflight request
Preflight requests send OPTIONS request before the actual request to check if the server permits the cross-origin request.
- If the server responds with a valid
Access-Control-Allow-Originheader, the browser then proceeds with the actual request.
* wildcard
Response that tells the browser to allow code from any origin to access a resource.
Access-Control-Allow-Origin: *
* (any site) wildcard should ONLY be allowed for public APIs.
Private APIs should never use *, and should instead have a specific domains set.
The wildcard only works for requests made with the crossorigin attribute set to anonymous.
- This prevents sending credentials like
cookiesin requests.