Back to All Questions
Question 67 of 100
API Security Testing
Advanced
Q67: What is CORS? How Does it Affect Web APIs?
🌐Core Concept
What is CORS? How Does it Affect Web APIs?
Key Takeaways & Architecture Summary
- ✓CORS stands for Cross-Origin Resource Sharing; browser-level security.
- ✓Prevents scripts on one domain from making request calls to another domain.
- ✓Configured via HTTP headers: Access-Control-Allow-Origin.
Direct Answer Summary
CORS (Cross-Origin Resource Sharing) is a browser-enforced security mechanism that restricts web applications from requesting resources from a different origin domain than the one that served the initial page. Web APIs must explicitly return headers like `Access-Control-Allow-Origin` defining permitted client domains to enable web access.
⚠️ Senior Engineering Warning (Red Flag)
Never configure Access-Control-Allow-Origin: * in production APIs. Wildcard headers allow any malicious site to read data from your endpoints on behalf of logged-in users.
💡 STAR Architectural Explanation & Pro Tip
Browsers enforce CORS using "preflight" requests (HTTP OPTIONS method) sent prior to the real request, confirming that the destination server permits the origin and headers.
RestAssuredTest.java
Rest-Assured + Java// Express.js configuration defining precise CORS permissions
app.use(cors({
origin: 'https://careerraah.com', // Explicitly allow only trusted domain
methods: ['GET', 'POST', 'PUT', 'DELETE']
}));