[{"data":1,"prerenderedAt":325},["ShallowReactive",2],{"term-c\u002Fcors":3,"related-c\u002Fcors":307},{"id":4,"title":5,"acronym":5,"body":6,"category":289,"description":290,"difficulty":291,"extension":292,"letter":293,"meta":294,"navigation":85,"path":295,"related":296,"seo":300,"sitemap":301,"stem":304,"subcategory":305,"__hash__":306},"terms\u002Fterms\u002Fc\u002Fcors.md","CORS",{"type":7,"value":8,"toc":283},"minimark",[9,14,18,22,30,34,272,276,279],[10,11,13],"h2",{"id":12},"eli5-the-vibe-check","ELI5 — The Vibe Check",[15,16,17],"p",{},"CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the visitor's cookies. Your browser blocks cross-origin requests unless your server explicitly says 'yes, that website is allowed'. It stops sneaky sites from piggybacking on your logged-in sessions.",[10,19,21],{"id":20},"real-talk","Real Talk",[15,23,24,25,29],{},"CORS is a browser security mechanism that restricts cross-origin HTTP requests. When a browser makes a cross-origin request, it checks for CORS headers (",[26,27,28],"code",{},"Access-Control-Allow-Origin",", etc.) in the server response. Preflight OPTIONS requests verify permissions before sending actual requests.",[10,31,33],{"id":32},"show-me-the-code","Show Me The Code",[35,36,41],"pre",{"className":37,"code":38,"language":39,"meta":40,"style":40},"language-javascript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F Express: configure CORS properly\nimport cors from 'cors';\n\napp.use(cors({\n  origin: ['https:\u002F\u002Fmyapp.com', 'https:\u002F\u002Fwww.myapp.com'],\n  methods: ['GET', 'POST', 'PUT', 'DELETE'],\n  allowedHeaders: ['Content-Type', 'Authorization'],\n  credentials: true, \u002F\u002F allow cookies\n}));\n\n\u002F\u002F ❌ Never do this in production:\n\u002F\u002F app.use(cors({ origin: '*', credentials: true })); \u002F\u002F breaks & insecure\n","javascript","",[26,42,43,52,80,87,110,146,194,224,241,252,257,263],{"__ignoreMap":40},[44,45,48],"span",{"class":46,"line":47},"line",1,[44,49,51],{"class":50},"sHwdD","\u002F\u002F Express: configure CORS properly\n",[44,53,55,59,63,66,70,74,77],{"class":46,"line":54},2,[44,56,58],{"class":57},"s7zQu","import",[44,60,62],{"class":61},"sTEyZ"," cors ",[44,64,65],{"class":57},"from",[44,67,69],{"class":68},"sMK4o"," '",[44,71,73],{"class":72},"sfazB","cors",[44,75,76],{"class":68},"'",[44,78,79],{"class":68},";\n",[44,81,83],{"class":46,"line":82},3,[44,84,86],{"emptyLinePlaceholder":85},true,"\n",[44,88,90,93,96,100,103,105,107],{"class":46,"line":89},4,[44,91,92],{"class":61},"app",[44,94,95],{"class":68},".",[44,97,99],{"class":98},"s2Zo4","use",[44,101,102],{"class":61},"(",[44,104,73],{"class":98},[44,106,102],{"class":61},[44,108,109],{"class":68},"{\n",[44,111,113,117,120,123,125,128,130,133,135,138,140,143],{"class":46,"line":112},5,[44,114,116],{"class":115},"swJcz","  origin",[44,118,119],{"class":68},":",[44,121,122],{"class":61}," [",[44,124,76],{"class":68},[44,126,127],{"class":72},"https:\u002F\u002Fmyapp.com",[44,129,76],{"class":68},[44,131,132],{"class":68},",",[44,134,69],{"class":68},[44,136,137],{"class":72},"https:\u002F\u002Fwww.myapp.com",[44,139,76],{"class":68},[44,141,142],{"class":61},"]",[44,144,145],{"class":68},",\n",[44,147,149,152,154,156,158,161,163,165,167,170,172,174,176,179,181,183,185,188,190,192],{"class":46,"line":148},6,[44,150,151],{"class":115},"  methods",[44,153,119],{"class":68},[44,155,122],{"class":61},[44,157,76],{"class":68},[44,159,160],{"class":72},"GET",[44,162,76],{"class":68},[44,164,132],{"class":68},[44,166,69],{"class":68},[44,168,169],{"class":72},"POST",[44,171,76],{"class":68},[44,173,132],{"class":68},[44,175,69],{"class":68},[44,177,178],{"class":72},"PUT",[44,180,76],{"class":68},[44,182,132],{"class":68},[44,184,69],{"class":68},[44,186,187],{"class":72},"DELETE",[44,189,76],{"class":68},[44,191,142],{"class":61},[44,193,145],{"class":68},[44,195,197,200,202,204,206,209,211,213,215,218,220,222],{"class":46,"line":196},7,[44,198,199],{"class":115},"  allowedHeaders",[44,201,119],{"class":68},[44,203,122],{"class":61},[44,205,76],{"class":68},[44,207,208],{"class":72},"Content-Type",[44,210,76],{"class":68},[44,212,132],{"class":68},[44,214,69],{"class":68},[44,216,217],{"class":72},"Authorization",[44,219,76],{"class":68},[44,221,142],{"class":61},[44,223,145],{"class":68},[44,225,227,230,232,236,238],{"class":46,"line":226},8,[44,228,229],{"class":115},"  credentials",[44,231,119],{"class":68},[44,233,235],{"class":234},"sfNiH"," true",[44,237,132],{"class":68},[44,239,240],{"class":50}," \u002F\u002F allow cookies\n",[44,242,244,247,250],{"class":46,"line":243},9,[44,245,246],{"class":68},"}",[44,248,249],{"class":61},"))",[44,251,79],{"class":68},[44,253,255],{"class":46,"line":254},10,[44,256,86],{"emptyLinePlaceholder":85},[44,258,260],{"class":46,"line":259},11,[44,261,262],{"class":50},"\u002F\u002F ❌ Never do this in production:\n",[44,264,266,269],{"class":46,"line":265},12,[44,267,268],{"class":50},"\u002F\u002F app.use(cors({ origin: '*', credentials: true }));",[44,270,271],{"class":50}," \u002F\u002F breaks & insecure\n",[10,273,275],{"id":274},"when-youll-hear-this","When You'll Hear This",[15,277,278],{},"\"The frontend is getting a CORS error — whitelist the domain in the API.\" \u002F \"Don't set Access-Control-Allow-Origin: * on authenticated endpoints.\"",[280,281,282],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sfNiH, html code.shiki .sfNiH{--shiki-light:#FF5370;--shiki-default:#FF9CAC;--shiki-dark:#FF9CAC}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":40,"searchDepth":54,"depth":54,"links":284},[285,286,287,288],{"id":12,"depth":54,"text":13},{"id":20,"depth":54,"text":21},{"id":32,"depth":54,"text":33},{"id":274,"depth":54,"text":275},"security","CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the vis...","intermediate","md","c",{},"\u002Fterms\u002Fc\u002Fcors",[297,217,298,299],"CSRF","Content Security Policy","HTTPS",{"title":5,"description":290},{"changefreq":302,"priority":303},"weekly",0.7,"terms\u002Fc\u002Fcors",null,"KUidGbiVw4GbTtry-jaHB0g-aSr9h0eVKg-u-kkSIRg",[308,313,317,320],{"title":217,"path":309,"acronym":310,"category":289,"difficulty":311,"description":312},"\u002Fterms\u002Fa\u002Fauthorization","AuthZ","beginner","Authorization is deciding what you're allowed to do after you've proven who you are.",{"title":298,"path":314,"acronym":315,"category":289,"difficulty":291,"description":316},"\u002Fterms\u002Fc\u002Fcontent-security-policy","CSP","Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.",{"title":297,"path":318,"acronym":297,"category":289,"difficulty":291,"description":319},"\u002Fterms\u002Fc\u002Fcsrf","CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.",{"title":299,"path":321,"acronym":322,"category":323,"difficulty":311,"description":324},"\u002Fterms\u002Fh\u002Fhttps","HyperText Transfer Protocol Secure","networking","HTTPS is HTTP but with a bodyguard. All the data flying between your browser and the website is scrambled so nobody can spy on it.",1776518262723]