Open in app

Sign in

Write

Sign in

Understanding Access-Control-Allow-Origin: A Comprehensive Guide with Examples

Pawan Jaiswal
3 min readJan 25, 2024

--

Cross-Origin Resource Sharing (CORS) is a crucial security feature implemented by web browsers to control how web pages in one domain can request and interact with resources hosted on another domain. The Access-Control-Allow-Origin (ACAO) header is a key component of CORS, playing a pivotal role in determining which origins are permitted to access a particular resource.

  1. CORS Basics:

Cross-Origin Resource Sharing addresses the security implications of making requests across different origins (domains) in web applications. By default, web browsers restrict such cross-origin requests due to the same-origin policy, which is a security measure to prevent malicious websites from making unauthorized requests on behalf of users.

CORS introduces a set of HTTP headers that allow servers to specify which origins are permitted to access their resources. The Access-Control-Allow-Origin header is central to this process, indicating the allowed origins for a particular resource.

  1. Access-Control-Allow-Origin Header:

The Access-Control-Allow-Origin header is sent by the server in the response to an HTTP request. It specifies which origins are permitted to access the requested resource. The header value can be a specific origin, a comma-separated list of origins, or the wildcard ‘*’ to allow any origin.

Example 1: Allowing a Specific Origin

Access-Control-Allow-Origin: https://example.com

Example 2: Allowing Multiple Origins

Access-Control-Allow-Origin: https://example.com, https://anotherexample.com

Example 3: Allowing Any Origin (Wildcard)

Access-Control-Allow-Origin: *
  1. Handling Simple Requests:

Simple requests are those that meet certain criteria and do not trigger a preflight request. These criteria include using only safe HTTP methods (GET, HEAD, POST), excluding custom headers, and not requiring credentials (like cookies or HTTP authentication). In such cases, the server includes the Access-Control-Allow-Origin header directly in the response.

Example:

GET /api/data HTTP/1.1
Origin: https://example.com

HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://example.com
Content-Type: application/json

Preflight Requests:

For more complex requests, the browser initiates a preflight request before the actual request. Preflight requests use the HTTP OPTIONS method to check with the server whether the actual request (e.g., with custom headers or credentials) is permitted. The server responds with appropriate CORS headers, including Access-Control-Allow-Origin.

Example:

OPTIONS /api/data HTTP/1.1
Origin: https://example.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: Authorization

HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: PUT
Access-Control-Allow-Headers: Authorization

Handling Credentialed Requests:

When requests include credentials such as cookies or HTTP authentication, the server must specify the allowed origins and credentials must be included in the request. This involves setting the withCredentials property to true in XMLHttpRequest or with the credentials option in Fetch API.

Example:

fetch('https://api.example.com/data', {
  method: 'GET',
  credentials: 'include',
  headers: {
    'Authorization': 'Bearer TOKEN'
  }
})
  .then(response => {
    // Handle the response
  });

Server Response:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Credentials: true
Content-Type: application/json

Conclusion:

Understanding and implementing the Access-Control-Allow-Origin header is crucial for web developers working on cross-origin requests. Whether handling simple requests or preflight requests, proper CORS configuration ensures a secure and controlled environment for web applications. By grasping the intricacies of CORS and the Access-Control-Allow-Origin header, developers can build robust and secure web applications that interact seamlessly across different origins.

DockerHub Link

To try out a demo environment for different vulnerabilities, you can visit our DockerHub repository here https://hub.docker.com/u/pawanjswal

Video Tutorial

Video tutorials for exploiting vulnerabilities are available here https://www.youtube.com/@OpenExploit

Originally published at https://www.openexploit.in

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Cybersecurity
Hacking
Programming
Software Engineering
Technology

--

--

Pawan Jaiswal
Pawan Jaiswal

Written by Pawan Jaiswal

148 Followers
13 Following

Blogging about security at OpenExploit.in

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams