Cross-Origin Resource Sharing
A browser security mechanism that controls which origins are permitted to make requests to an API or resource from client-side JavaScript.
In detail
Cross-Origin Resource Sharing (CORS) is the mechanism by which servers declare which other origins (domain + scheme + port combinations) are allowed to make cross-origin requests from a browser. Without CORS restrictions, a malicious website could use a logged-in user's browser to make API calls to your server. CORS is enforced by the browser via preflight OPTIONS requests and response headers (Access-Control-Allow-Origin). A misconfigured CORS policy that sets Access-Control-Allow-Origin to * or reflects the request origin without validation effectively disables the protection.
Why it matters for Australian business
CORS misconfiguration is a common finding in vibe-coded Australian APIs. AI generators often set wildcard CORS to stop 'it's not working' errors during development, and that wildcard ships to production. The consequence is that any website can make authenticated API requests using a victim user's browser session. We check CORS configuration on every API audit and enforce origin allowlists against the specific domains that need access.