Access-Control-Allow-Origin field
Access-Control-Allow-Origin identifies which requesting origin may read a CORS response.
- cors
- origins
- fields
- browsers
Meaning
Access-Control-Allow-Origin is a response field used by the browser CORS
protocol. It tells the browser that the response can be shared with the named
request origin, or with non-credentialed callers when the value is *.
Access-Control-Allow-Origin: https://app.example.invalid
Vary: Origin
Expected result: a CORS request whose serialized Origin is exactly
https://app.example.invalid can pass the origin check, subject to the rest of
the CORS protocol. Vary: Origin prevents a shared cache from treating responses
for different request origins as interchangeable.
Credentials change the wildcard rule
For a request whose credentials mode is include, the server must return the
explicit serialized origin and Access-Control-Allow-Credentials: true. The
wildcard value does not authorize a credentialed response.
The origin value has no trailing slash. It is a serialized origin such as
https://app.example.invalid, not an arbitrary page URL or a comma-separated
allowlist.
It is not access control for the resource
CORS controls whether browser JavaScript can read a cross-origin response. It does not authenticate the requester, authorize an operation, prevent a request from reaching the server, or protect a resource from non-browser clients.
Common mistakes
- Do not combine multiple origins into one field value.
- Do not reflect any supplied
Originwithout checking an allowlist. - Add
Vary: Originwhen the value changes by request origin. - Diagnose preflight permission separately from the actual response’s origin grant.
