CORS is enforced by browsers to prevent malicious scripts on one origin (e.g., evil.com) from making authenticated requests to another (e.g., yourbank.com). A server signals which origins are trusted by returning the Access-Control-Allow-Origin header in its responses.

Why it matters: A misconfigured CORS policy (e.g., Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true) can expose authenticated API endpoints to cross-site request attacks. Overly restrictive CORS breaks legitimate integrations.

Quick tips:

Explicitly list trusted origins rather than using * for credentialed endpoints.
Understand the difference between simple and preflighted requests — complex methods (PUT, DELETE) and custom headers trigger a preflight OPTIONS request.
Cache preflight responses with Access-Control-Max-Age to reduce latency.