Cross-Origin Resource Sharing, or CORS, is a browser rule that controls whether a webpage can request data from a different domain than the one that loaded it. It uses HTTP headers to tell the browser which outside domains may access server resources.
By default, browsers block a script on one domain from reading responses from a different domain, under the same-origin policy. CORS headers let a server explicitly allow certain outside domains, methods, or headers to access its data. The browser sends a preflight request for many types of cross-origin calls, asking the server for permission before sending the real request. If the CORS headers on the server do not list the requesting domain, the browser blocks the response from being read by the page.
Match the strength of this control to what is actually at risk in the workflow.
USER-country-de-session-task01The credential string is the only configuration needed -- "country-de" sets the exit, "session-task01" keeps it consistent, and cors is handled by the gateway rather than your application code.
Test the setup with a leak-test tool or packet capture to confirm this protection is actually working, not just configured.
Pair this with sane session handling and header hygiene -- no single control covers a full workflow on its own.
Apply the strongest version of this control to logins, payments, and personal data -- it is overkill for public information.
Do not let two workflows that need to stay separate for privacy or account reasons share the same session or IP.
A weather widget hosted on one domain can fetch data from a weather API on another domain only when the API CORS headers allow requests from the widget domain.
CORS protects users from malicious sites secretly reading data from other logged-in sessions. Developers building tools that call APIs across domains need to understand CORS to avoid blocked requests.
The API server has not listed your domain as an allowed origin in its CORS headers, so the browser blocks the response for safety. This usually needs to be fixed on the server side.
A server-side proxy can fetch data on your behalf and avoid a browser CORS block, since CORS is a browser rule and not a network rule. This is a common workaround for development and data collection.
Ready to put this into practice? Security Documentation
Start a free trial and test with real targets -- no credit card, no sales call.