CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

CORS — Cross-Origin Resource Sharing

security PHP 7.0+ Intermediate

Also Known As

Cross-Origin Resource Sharing CORS headers preflight request Access-Control-Allow-Origin same-origin policy

TL;DR

A browser security mechanism that blocks JavaScript from making HTTP requests to a different origin — PHP APIs must send specific headers to allow cross-origin requests from permitted frontend origins.

Explanation

The Same-Origin Policy prevents JavaScript from making requests to a different domain, protocol, or port than the page it is running on. CORS is the controlled mechanism for relaxing this restriction. For simple requests (GET, POST with certain content types), the browser adds an Origin header; the server responds with Access-Control-Allow-Origin and the browser either allows or blocks the response. For complex requests (PUT, DELETE, custom headers, JSON content-type), the browser sends a preflight OPTIONS request first to check permissions; the server must respond with Access-Control-Allow-Methods, Access-Control-Allow-Headers, and optionally Access-Control-Max-Age. In PHP APIs, CORS headers must be set on every response including error responses. Wildcard (*) for Access-Control-Allow-Origin is only appropriate for public APIs — for APIs that use cookies or Authorization headers, the specific origin must be listed and Access-Control-Allow-Credentials: true must be set.

Common Misconception

Setting Access-Control-Allow-Origin: * fixes all CORS errors. Wildcard (*) cannot be used when credentials (cookies, Authorization headers) are involved. When the frontend sends credentials, the server must specify the exact allowed origin, not *, and must set Access-Control-Allow-Credentials: true. A CORS error with credentials will not be fixed by a wildcard — it requires the specific origin to be allowlisted.

Why It Matters

CORS errors are among the most common issues PHP API developers encounter when building frontends separately from backends. Understanding CORS prevents hours of debugging what looks like a server error but is a browser security block. More importantly, CORS misconfiguration is a security risk — a PHP API that allows all origins with credentials enabled (Access-Control-Allow-Origin: * with Allow-Credentials: true) allows any website to make authenticated requests on behalf of users visiting that malicious site.

Common Mistakes

  • Not handling OPTIONS preflight requests — complex requests get a preflight that must return 200 with CORS headers, not a 405 Method Not Allowed.
  • Setting CORS headers only on success responses — error responses (4xx, 5xx) must also include CORS headers or the browser hides the error from the JavaScript.
  • Using Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true — browsers reject this combination; specify the exact origin.
  • Setting CORS headers in application middleware only — some PHP frameworks handle OPTIONS at the router level before middleware runs; handle it earlier.

Code Examples

✗ Vulnerable 
// Missing preflight handling — CORS errors on all complex requests
header('Access-Control-Allow-Origin: *');
// No OPTIONS handling — preflight fails with 404/405
// With credentials — wildcard + credentials = browser rejection
✓ Fixed 
// Handle preflight + correct headers
function setCorsHeaders(string $allowedOrigin): void {
    $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
    if ($origin === $allowedOrigin) {
        header('Access-Control-Allow-Origin: ' . $origin);
        header('Vary: Origin'); // important for caching
    }
    header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
    header('Access-Control-Allow-Headers: Content-Type, Authorization, X-CSRF-Token');
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400'); // cache preflight 24hrs
}

// Handle preflight before routing
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    setCorsHeaders('https://app.example.com');
    http_response_code(200);
    exit;
}
Added 23 Mar 2026
Edited 5 Apr 2026
Views 14

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Perplexity 3 Google 2 ChatGPT 1 Ahrefs 1
Also referenced
HTTP Caching (ETags, Cache-Control) 34 Cross-Site Request Forgery (CSRF) 29 Authentication 24 Refused Bequest 19
How they use it
crawler 6 crawler_json 1
Related categories
security 4k quality 2.7k performance 1.6k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Use a CORS middleware that handles OPTIONS preflight automatically. For PHP APIs: respond to OPTIONS with 200 and the correct headers before routing; allowlist specific origins rather than using *
📦 Applies To
PHP 7.0+ web cli
✓ schema.org compliant