DEV Community

Utkarsh Kr. Singh
Utkarsh Kr. Singh

Posted on

CORS - Cross Origin Resource Sharing

#webdev #security #api #beginners

CORS is one of those things you don’t really learn…

You just run into it.

Everything works.

API is up.

Backend is responding.

Then the browser says:

“Blocked by CORS policy.”

And suddenly you’re questioning your life choices 😄

For a long time, CORS feels like a bug.

But it’s not.

It’s actually the browser trying to protect users by saying:

“Hey, are you sure this website should be talking to that server?”

That’s why:

  • It works in Postman but not in the browser
  • The backend logs look fine
  • Adding one missing header magically fixes everything

And also why “just disable CORS” is a terrible idea

(even though we’ve all Googled it).

Why Postman and curl don’t care about CORS

CORS is a browser-only security rule.

Postman, curl, and other tools aren’t trying to protect end users—they’re just clients making HTTP requests. They don’t block responses based on origin, so they’ll happily show you the data even if the server never sends CORS headers.

Browsers, on the other hand, sit between your app and the user. If they didn’t enforce CORS, any website could silently read data from another site using your logged-in session.

That’s the real threat CORS is preventing.

And what’s a preflight request?

That mysterious OPTIONS call you see before your actual API request?

That’s the browser asking politely first.

Before sending certain requests (like PUT, DELETE, or requests with custom headers), the browser sends a preflight request to the server saying:

“Hey, I want to make this request with these methods and headers. Are you okay with that?”

If the server says yes (with the right CORS headers), the real request is sent.

If not, the browser stops everything right there.

CORS diagram

Once it clicks, CORS stops being scary.

You realize it’s just rules about who can talk to whom, and how explicitly you need to say yes.

Honestly, understanding CORS felt like a small rite of passage as a developer.

If CORS has ever ruined your day, welcome to the club.

If you’ve mastered it, you’ve earned your badge.

What was your first CORS error like? 👇

Top comments (0)