CORS (Cross-Origin Resource Sharing)
CORS (Cross-Origin Resource Sharing) is a browser security mechanism restricting JavaScript on one origin from calling APIs on another unless the API returns appropriate Access-Control-* headers. SPAs that send JWT bearer tokens to APIs on different domains require CORS configuration. CORS is enforced by browsers, not by curl or server-to-server clients. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail. Document expected behavior for client teams so tokens are issued, stored, and validated consistently across services.
Why It Matters
Misconfigured CORS does not replace authentication — it only controls browser exposure. Pair strict CORS allowlists with JWT validation on the server. Avoid wildcard origins with credentials. Preflight OPTIONS requests must succeed for custom Authorization headers. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses. Review this during every auth-related change, including framework upgrades, CDN additions, and new mobile or third-party clients.
Related Terms
Related Articles
Frequently Asked Questions
Does CORS protect my API?
Only from untrusted browser origins. Attackers can still call your API directly without CORS. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.
CORS and Authorization header?
Custom headers trigger preflight. Servers must allow Authorization in Access-Control-Allow-Headers. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.
Should I use * for CORS?
Not with credentials or sensitive JWT APIs. Enumerate trusted frontend origins explicitly. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.