CORS Best Practices Guide
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
The Dangers of the Wildcard (*)
Using Access-Control-Allow-Origin: * allows any website on the internet to read the responses from your API. While this is perfectly fine for public APIs (like a weather API), it is highly dangerous for APIs that handle user data.
Never use * on an authenticated endpoint.
CORS and Credentials
If your API requires cookies or Authorization headers to be sent with cross-origin requests, you must set Access-Control-Allow-Credentials: true.
Crucially, the browser will reject the request if Allow-Credentials is true AND Allow-Origin is set to *. You must explicitly specify the allowed origin (e.g., https://app.example.com) when using credentials.
Preflight Requests (OPTIONS)
When a browser makes a "complex" request (e.g., using a POST method with a custom Content-Type like application/json), it first sends an OPTIONS request to check if the CORS protocol is understood and allows the request.
You can cache this preflight response using the Access-Control-Max-Age header (in seconds) to reduce latency on subsequent requests from the same client.