How CORS works in plain english?

CORS is used to control access to a remote resource, for example If we hosted a webpage on site, we can configure remote resource, and tell it should entertain request coming from

If you make a request from "" to, you will not be able to do so. Because we never really configure that to happen.

So we have, --> making GET request to -->

if is allowed requested to the site, we will  get some response that look like this.

 Request from

Access-Control-Request-Method: GET
Response from

<= HTTP/1.1 204 No Content
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: Api-Key
Content-Length: 0
From here, we can see that "Access-Control-Allow-Origin" is This means we are given green light to make our request.

If we set "Access-Control-Allow-Origin" to "*", this basically means incoming request to can comee from anywhere and potentially dangerous.

You can always use curl to test out your using the following command :-

curl -H "Origin:"

Or using postman.


Popular posts from this blog

A quick tutorial for OWASP ZAP tool for beginners

ionic2 cordova build android - Unable resolve gradle 2.2.3