- CORS (Cross-Origin Resource Sharing)
- Cross-Origin Resource Sharing, a W3C standard that adds HTTP header fields allowing servers to declare which origins can access resources — the official modern browser solution to cross-origin issues.
- Same-Origin Policy
- Browser core security mechanism: only when protocol, domain, and port are all identical are origins considered same; different origin JavaScript by default cannot read each other's resources.
- Preflight Request
- OPTIONS method request automatically sent by browsers for non-simple cross-origin requests, asking the server whether the subsequent actual request is allowed; actual request sent only after preflight passes.
- Simple Request
- Cross-origin request meeting specific conditions (GET/HEAD/POST method, safelisted headers only, specific Content-Type) that doesn't trigger preflight — actual request sent directly.
- Access-Control-Allow-Origin (ACAO)
- Core CORS response header specifying allowed origins for resource access — can be specific origin URI or wildcard *; cannot use * with credentials.
- Access-Control-Allow-Methods (ACAM)
- Preflight response header listing all HTTP methods supported by the server, multiple methods comma-separated.
- Access-Control-Allow-Headers (ACAH)
- Preflight response header listing all request header fields allowed by the server; custom headers sent by frontend must be declared here.
- Access-Control-Allow-Credentials (ACAC)
- Response header, boolean true indicates cross-origin requests are allowed to carry cookies, Authorization and other credentials; when set Allow-Origin cannot be *.
- Access-Control-Max-Age (ACMA)
- Preflight response header specifying preflight result cache duration in seconds; reasonable setting reduces OPTIONS requests improving performance.
- Vary: Origin
- Response header telling CDN/proxies response content varies with Origin header — cache must include Origin as part of cache key to prevent cross-origin response cache corruption.
- CORS-safelisted request headers
- Request headers that can be sent without declaration in Allow-Headers, including Accept, Accept-Language, Content-Language, Content-Type (specific values) etc.
- Forbidden header name
- Request headers browsers prohibit JavaScript from setting programmatically, such as Host, Connection, Cookie, Origin etc. — these are automatically controlled by the browser.
- Credentialed Request
- Cross-origin request carrying identity credentials like cookies, HTTP authentication info, TLS client certificates — requires frontend-backend coordination setting withCredentials and Allow-Credentials.
- Access-Control-Expose-Headers
- Response header listing response headers accessible to frontend JavaScript; by default only a few basic headers are accessible, custom response headers must be declared here.
- OPTIONS method
- One of the HTTP methods used to retrieve communication options supported by the server; CORS uses it to send preflight requests asking about allowed methods, headers, credentials etc.
- Origin request header
- Request header automatically added by browsers indicating which origin (protocol+domain+port) the current request comes from; server determines cross-origin permission based on this header.
- crossorigin attribute
- Attribute on HTML elements (script, img, link etc.) specifying whether to load resources with CORS, values are anonymous (without credentials) and use-credentials (with credentials).
- no-cors request mode
- A fetch API mode allowing cross-origin requests but only simple requests can be sent and JavaScript cannot read response content — equivalent to sending an opaque response.