The latest articles on DEV Community by Sarim Nadeem (@sarim_nadeem_888180307df8). https://dev.to/sarim_nadeem_888180307df8 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3759481%2F31d5b18a-a9d7-4370-aa09-9d4dfb454448.jpeg https://dev.to/sarim_nadeem_888180307df8 en Sarim Nadeem Tue, 14 Apr 2026 11:06:57 +0000 https://dev.to/sarim_nadeem_888180307df8/the-internets-bouncer-a-clear-guide-to-sop-and-cors-1954 https://dev.to/sarim_nadeem_888180307df8/the-internets-bouncer-a-clear-guide-to-sop-and-cors-1954 <h1> The Internet’s Bouncer: A Clear Guide to SOP and CORS </h1> <p>If you’ve ever seen a red error message in your browser console shouting about "Cross-Origin Request Blocked," you’ve met the web’s most important security duo: <strong>SOP</strong> and <strong>CORS</strong>. </p> <p>Here is everything you need to know to understand how they work together to keep the web safe.</p> <h2> What is Same-Origin Policy (SOP)? </h2> <p>The <strong>Same-Origin Policy (SOP)</strong> is a fundamental security feature implemented by web browsers. It’s like the internet’s bouncer, preventing web pages from making requests to different origins unless they match. </p> <p>Without SOP, malicious websites could easily access sensitive data on other tabs you’ve got open—imagine your bank account details hanging out for all to see!</p> <h3> What Defines an "Origin"? </h3> <p>If any of these three components differ between two URLs, they are considered to have different origins:</p> <ul> <li> <strong>Protocol</strong> (e.g., <code>http</code> vs. <code>https</code>)</li> <li> <strong>Domain</strong> (e.g., <code>example.com</code> vs. <code>api.example.com</code>)</li> <li> <strong>Port</strong> (e.g., <code>:80</code> vs. <code>:443</code>)</li> </ul> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://example.com:443/page1 ✅ Same origin as https://example.com:443/page2 http://example.com/page1 ❌ Different origin from https://example.com/page2 (different protocol) </code></pre> </div> <h2> How SOP Restricts Interactions </h2> <p>To protect your data, the browser restricts what scripts can do across origins:</p> <ul> <li> <strong>Cookies:</strong> You can only access cookies for your own origin.</li> <li> <strong>Storage:</strong> <code>LocalStorage</code> and <code>SessionStorage</code> are origin-specific. No peeking at someone else’s data!</li> <li> <strong>DOM Access:</strong> A script from <code>Origin A</code> cannot access the DOM of a page from <code>Origin B</code>.</li> <li> <strong>AJAX/Fetch Requests:</strong> Requests are blocked by default unless explicitly allowed.</li> </ul> <h2> What Is CORS (Cross-Origin Resource Sharing)? </h2> <p><strong>CORS</strong> is a security feature that allows or restricts resources on a web server to be requested from a different domain. It’s like giving permission to certain websites to knock on your server’s door and grab some data. </p> <p>Without CORS, web pages are locked in their own origin-sandbox, unable to communicate with external APIs, CDNs, or other resources.</p> <h3> Why Is CORS Important? </h3> <ol> <li> <strong>Enforces SOP:</strong> It makes the strictness of SOP flexible for legitimate communication.</li> <li> <strong>Controlled Sharing:</strong> Servers can whitelist specific domains to keep data safe.</li> <li> <strong>Prevents Attacks:</strong> It helps protect against attacks like <em>Cross-Site Request Forgery (CSRF)</em> and <em>Cross-Site Scripting (XSS)</em>.</li> </ol> <h2> The CORS Workflow </h2> <h3> 1. Simple Requests </h3> <p>These include <code>GET</code>, <code>POST</code>, and <code>HEAD</code> requests that don’t require special handling. </p> <ul> <li>The browser sends the request with an <code>Origin</code> header.</li> <li>If the server returns an <code>Access-Control-Allow-Origin</code> header that matches, all is good.</li> </ul> <h3> 2. Preflight Requests </h3> <p>These are like asking the server, <em>"Hey, is it cool if I send a DELETE request?"</em> before making the actual request. This is done via an <code>OPTIONS</code> call.</p> <h2> CORS Headers You Should Know </h2> <ul> <li> <strong><code>Access-Control-Allow-Origin</code></strong>: Specifies which origins are allowed access.</li> <li> <strong><code>Access-Control-Allow-Methods</code></strong>: Defines permitted HTTP methods (<code>GET</code>, <code>POST</code>, etc.).</li> <li> <strong><code>Access-Control-Allow-Headers</code></strong>: Specifies which custom headers can be used.</li> <li> <strong><code>Access-Control-Allow-Credentials</code></strong>: Allows cookies or authorization headers to be included.</li> </ul> <h2> The Wildcard Policy </h2> <p>A wildcard <code>*</code> is appropriate when an API response is intended to be accessible to any code on any site, such as <a href="https://fonts.google.com/" rel="noopener noreferrer">Google Fonts</a>.</p> <blockquote> <p><strong>Note:</strong> The value of <code>*</code> is special because it <strong>does not</strong> allow requests to supply credentials. This means it won't allow HTTP authentication, SSL certificates, or cookies to be sent in the cross-domain request.</p> </blockquote> <h3> Summary </h3> <ul> <li> <strong>SOP</strong> is the "Default Deny" policy that keeps your browser secure.</li> <li> <strong>CORS</strong> is the "Explicit Allow" protocol that lets modern web apps talk to each other.</li> </ul> <p>Happy coding!</p> webdev security discuss showdev