[Web] CORS Headers

 

A: Cannot tell, it might be GET request then it's not a preflight request

B: Correct

C: Not correct

D: Preflight request will have 600ms cache time, not normal request

E: X-Custom-Header not the only response header, it has few default response headers

F: Not correct

 

Cross-Origin Resource Sharing (CORS) is a mechanism that allows web servers to specify which origins (domains) are allowed to access their resources. CORS provides a set of HTTP headers that enable controlled access to resources hosted on different domains. Let's explore the key CORS headers:

1. Access-Control-Allow-Origin: The Access-Control-Allow-Origin header specifies the origin(s) that are allowed to access a resource. The value of this header can be a single origin or "*", indicating that any origin is permitted. For example, if the server sends Access-Control-Allow-Origin: https://example.com, it allows requests from the specified origin. Browsers enforce this header to restrict cross-origin requests.

2. Access-Control-Allow-Headers: The Access-Control-Allow-Headers header specifies the allowed HTTP headers for a cross-origin request. It provides a comma-separated list of headers that the server allows the client to include in the request. By default, only a few simple headers are allowed without explicit permission. If the client wants to include additional headers like Authorization or Content-Type, they must be listed in this header.

3. Access-Control-Allow-Methods: The Access-Control-Allow-Methods header specifies the allowed HTTP methods for a cross-origin request. It indicates which methods (such as GET, POST, PUT, DELETE) the server permits the client to use when making cross-origin requests. The server sends this header to inform the browser about the permitted methods.

4. Access-Control-Expose-Headers: The Access-Control-Expose-Headers header allows the server to expose additional response headers to the client in a cross-origin scenario. By default, only a limited set of headers are exposed to the client. If the server wants to make additional headers accessible to the client, it can list them in this header. This header helps the client determine which response headers it can access when the request is cross-origin.

5. Access-Control-Max-Age: The Access-Control-Max-Age header specifies the time, in seconds, that the preflight response (OPTIONS request) can be cached by the browser. The preflight request is an additional request sent by the browser to check if the cross-origin request is allowed. The server can respond with the Access-Control-Max-Age header to indicate how long the preflight response can be cached. Caching the response reduces the number of preflight requests for subsequent cross-origin requests within the specified time frame.

These CORS headers play a crucial role in controlling and securing cross-origin resource sharing between web applications. By specifying and properly configuring these headers on the server side, web developers can control which origins are allowed to access their resources, what headers and methods can be used, and cache preflight responses for improved performance.

 

CORS is a feature on browser site to check against server response

 

Preflight request:

DELTE is a preflight request, it sends a OPTION request to server to check against CORS

In case doesn't allow: