CORS

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that restricts web pages from making requests to a different domain than the one that served the page. Servers opt into cross-origin access by including Access-Control-Allow-Origin response headers. Misconfigured CORS policies (such as allowing any origin with credentials) can allow attacker-controlled sites to make authenticated API requests on behalf of users. Properly restricting CORS is critical for APIs that handle sensitive data.

Why it matters for your website

• 1Listed in the OWASP Top 10 — one of the most critical web risks
• 2Can lead to data exfiltration, account takeover, or full system compromise
• 3Required to fix before passing security reviews for enterprise customers