HTTP & Networking

What is CORS?

Cross-Origin Resource Sharing, the browser security model that decides whether JavaScript on one origin can read responses from another.

Also known as: Cross-Origin Resource Sharing

By default, a browser will block JavaScript on https://app.example.com from reading the response of a fetch to https://api.other.com. The same-origin policy is what stops a malicious site from quietly stealing your bank session. CORS is the controlled escape hatch: the cross-origin server can opt in to letting specific origins read its responses by sending headers like Access-Control-Allow-Origin.

For "simple" requests (GET, basic POST forms) the browser sends the request, then checks the response headers. For "non-simple" requests (custom headers, JSON content type, methods like PUT/DELETE) the browser sends a preflight OPTIONS request first to verify the cross-origin server actually allows the operation. If the headers say no, the browser blocks the JavaScript from reading the response.

CORS is not a server-to-server concern. cURL, your scraper, and any backend client can fetch any URL freely; the browser is the enforcement point. The most common CORS confusion is developers thinking their server is "blocked" when in fact the response was delivered fine, and only the browser refused to expose it to JS.

In the wild

  • A SaaS dashboard at app.x.com calling api.x.com after the API server adds Access-Control-Allow-Origin: https://app.x.com
  • A cross-origin POST that triggers a preflight OPTIONS, fails it, and shows up as a "CORS error" in the browser console
  • A proxy backend hop added solely to sidestep CORS on a third-party API

How Brand.dev uses cors

Endpoints in the Brand.dev API where this concept comes up directly.

Web Scrape HTML API

FAQ

Does CORS apply to my server-side scraper?

No. CORS is enforced by browsers. Server-to-server HTTP clients like httpx, axios on Node, or curl are unaffected.

Is `Access-Control-Allow-Origin: *` safe?

For genuinely public, unauthenticated endpoints, yes. For anything that returns user data or accepts cookies, never: combined with credentials it would let any site read your users' data.

What is a preflight request?

An OPTIONS request the browser sends before a non-simple cross-origin request, asking the server which methods, headers, and origins are allowed. The browser caches the result for as long as Access-Control-Max-Age says.

Related terms

HTTP

The application protocol the web is built on, a simple request/response format for asking a server for a resource.

API

An Application Programming Interface, a contract that lets one program request actions or data from another in a stable, documented way.

REST API

An API that follows REST conventions, using HTTP methods on resource URLs to model create/read/update/delete operations.

Cookie

A small piece of data a server sends a browser, echoed back on subsequent requests to the same site—the standard mechanism for sessions and tracking.

All glossary terms

Ship an agent that actually knows things.

Free tier, 10-minute integration, and the same API powering agents at Mintlify, daily.dev, and Propane. No credit card to start.

Get API Access
Book a call