This cheat sheet contains everything there is to know about the CORS standard in a single, interactive mind map. It is a great resource for anyone who wants enable cross-origin access from their client applications and understand the root causes for the common "blocked by CORS" issues.
Pragma
Last-Modified
Expires
Content-Type
Content-Language
Cache-Control
the exact origin of the request
* = wildcard, allows any origin
PATCH
TRACE
OPTIONS
CONNECT
DELETE
PUT
POST
HEAD
GET
port, if different from 80 for HTTP and 443 for HTTPS
host
scheme
text/plain
multipart/form-data
application/x-www-form-urlencoded
prevents cache poisoning attacks
important to set this header to Origin
when not using a wildcard for Access-Control-Allow-Origin
this tells the browser that the response is different based on the provided header(s)
the default is 5 seconds
different browsers have different limits for this
the number of seconds the preflight response can be cached for
Access-Control-* headers with a value of * cannot be used when this header is present
true is the only valid value, omit if not needed
whether or not the request can include credentials, e.g cookies, authorization headers and TLS client certificates
not needed for safelisted headers:
not to be confused with Access-Control-Allow-Headers
* is supported, but not recommended
trying to read a header that is not exposed will look like the header has not been set
a comma separated list of response HTTP headers that are allowed to be read by the client, e.g Content-Type, Accept
* is supported, but not recommended
all Access-Control-Request-Headers must be included, otherwise the browser will not allow the request
a comma separated list of request HTTP headers that are allowed, e.g Content-Type, Accept
* is supported, but not recommended
value from Access-Control-Request-Method must be included, otherwise the browser will not allow the request
a comma separated list of HTTP methods that are allowed, e.g GET, POST
must be one of:
if not present, the browser will not allow the request
the origin that is allowed to make the request, e.g https://blockedbycors.dev
Access-Control-Max-Age
Access-Control-Allow-Credentials
Access-Control-Expose-Headers
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Allow-Origin
includes only header names, no values
a comma separated list of headers that will be sent with the request, e.g Content-Type
one of:
the HTTP method of the request, e.g GET
may include:
must include:
its presence indicates that the request is a CORS request
the origin of the request, e.g https://blockedbycors.dev
Access-Control-Request-Headers
Access-Control-Request-Method
Origin
no ReadableStream object used in the request
no event listeners registered on XMLHttpRequestUpload
Width
Viewport-Width
Save-Data
Downlink
DPR
Content-Type
Content-Language
Accept-Language
Accept
POST
HEAD
GET
Vary
Access-Control-Max-Age
Access-Control-Allow-Credentials
Access-Control-Expose-Headers
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Allow-Origin
may include headers:
must include headers:
the response to a preflight request
Access-Control-Request-Headers
Access-Control-Request-Method
Origin
may include headers:
must include headers:
uses the HTTP OPTIONS method
automatically issued by the browser
requests that ask for permission to make the actual request
are necessary for requests that are not simple requests
further requirements:
allowed request headers are:
allowed request methods are:
are requests that do not trigger a preflight request
Response Headers
Preflight Response
Request Headers
Preflight Request
Simple Request
it is not a security mechanism that prevents access to confidential data
it is an extension of the same-origin policy
an origin is defined by the scheme, host and port
e.g. https://blockedbycors.dev accessing https://api.blockedbycors.dev
it is a browser mechanism that allows to access resources from different origins
CORS stands for Cross-Origin Resource Sharing
more tools coming soon
a toolbox to help you understand and fix CORS issues
Server
Client (Browser)
General
CORS