software

🌐 CORS Policies Every Backend Developer Must Know

Published: (December 17, 2025 at 10:34 AM EST)
2 min read
Source: Dev.to

Source: Dev.to

Cover image for 🌐 CORS Policies Every Backend Developer Must Know

What Is CORS?

CORS is a browser security mechanism that controls how resources from one origin (domain) can be accessed by another origin.

Important: CORS is enforced by the browser, but configured by the backend.

The Most Common CORS Mistake

Access-Control-Allow-Origin: *

This header allows any website to call your API. If your API uses cookies, tokens, or sessions, this is a serious security risk.

Best Practices for Secure CORS Configuration

1️⃣ Use an Allowlist of Trusted Origins

Only allow known domains:

const allowedOrigins = [
  'https://app.example.com',
  'https://admin.example.com'
];

2️⃣ Never Use Wildcards with Credentials

When you use cookies, JWTs in headers, or sessions, you must specify exact origins:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://app.example.com

* is not allowed when Access-Control-Allow-Credentials is true.

3️⃣ Limit Allowed HTTP Methods

Only permit the methods your API actually needs:

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Avoid exposing unused methods such as PATCH or OPTIONS unnecessarily.

4️⃣ Restrict Allowed Headers

Explicitly define which request headers are permitted:

Access-Control-Allow-Headers: Content-Type, Authorization

5️⃣ Handle Preflight (OPTIONS) Requests Properly

Browsers send an OPTIONS request before certain API calls.

Best practice:

  • Respond quickly (e.g., 204 No Content).
  • Do not require authentication for the preflight response.
  • Return the appropriate CORS headers.

6️⃣ Environment‑Based CORS Rules

EnvironmentPolicy
DevelopmentAllow localhost
StagingAllow test domains
ProductionStrict allowlist

This approach keeps development easy while keeping production secure.

7️⃣ Do Not Treat CORS as a Security Mechanism

CORS does not replace:

  • Authentication
  • Authorization
  • Rate limiting
  • Input validation

Attackers can still call your API directly using tools like Postman or curl.

Example: Secure Node.js CORS Configuration

const cors = require('cors');
const express = require('express');
const app = express();

app.use(cors({
  origin: ['https://app.example.com'],
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true,
  maxAge: 86400 // seconds
}));

Interview Tip

Q: Is CORS a frontend or backend security feature?
A: CORS is enforced by the browser, but controlled by the backend.

Final Thoughts

A good backend developer:

  • Uses least‑privilege CORS settings.
  • Avoids wildcards in production.
  • Separates environment configurations.
  • Understands that CORS is not a substitute for real security controls.

Correct CORS configuration demonstrates professional backend maturity.

Back to Blog

Related posts

Read more »

CORS - Cross Origin Resource Sharing

Introduction CORS Cross‑Origin Resource Sharing is one of those things you don’t really learn until you run into it. Everything may work on the server side—API...

You Are Using TailwindCSS Wrong

I’ve mentioned before why I generally do not recommend using Tailwind CSS as the primary styling approach in my projects, and I have explained that position in...