Skip to main content
API Design cors critical

CORS Patterns

Configure Cross-Origin Resource Sharing correctly for secure API access.

Difficulty
intermediate
Read time
1 min read
Version
v1.0.0
Confidence
established
Last updated
Edit on GitHub Report Issue

Quick Reference

CORS: Never use Access-Control-Allow-Origin: * with credentials. Whitelist specific origins. Handle preflight (OPTIONS) requests. Set appropriate Access-Control-Max-Age. Include only needed headers in Access-Control-Expose-Headers. Validate Origin header server-side.

Use When

  • Cross-origin API requests
  • Frontend on different domain
  • Third-party integrations
  • Microservices

Skip When

  • Same-origin requests
  • Server-to-server calls
  • Mobile native apps

CORS Patterns

Configure Cross-Origin Resource Sharing correctly for secure API access.

Tags

cors security api headers preflight

Discussion

Related Guidelines

CSRF Protection Patterns critical Content Security Policy critical OpenAPI Documentation Patterns recommended API Versioning recommended