/ HTTP Headers


The Access-Control-Allow-Origin header is an essential component of Cross-Origin Resource Sharing (CORS) policy, a mechanism that provides many client-side web applications with secure permissions to select resources from a server on a different origin (domain, protocol, or port) than the site currently in use.

What is Access-Control-Allow-Origin

The Access-Control-Allow-Origin HTTP response header indicates whether the response can be shared with requesting code from the given origin. This header is critical for handling cross-origin requests. In simpler terms, it tells browsers whether to allow a web application running at one origin to access selected resources from a server at a different origin.

Basic Usage

The header follows the format:

Access-Control-Allow-Origin: <origin> | *

The <origin> is a URI that specifies the server from which the browser should permit loading resources. Alternatively, * can be used to allow any origin to access the resource.

For instance, consider a response with this header:

Access-Control-Allow-Origin: https://example.com

Here, the server permits https://example.com to access this resource.

Conversely, when a response includes the header:

Access-Control-Allow-Origin: *

The server allows any origin to access the resource.

Detailed Examples

Let’s delve into more complex scenarios involving Access-Control-Allow-Origin and associated headers.

Scenario 1: Specific Origin

Consider a scenario where your server is at https://yourserver.com, and you want to permit https://trusted.com to access your resources. You’ll respond with:

Access-Control-Allow-Origin: https://trusted.com

Scenario 2: Multiple Origins

However, what if you need to permit multiple origins? The Access-Control-Allow-Origin header doesn’t directly support this. You must dynamically generate the header based on the Origin header in the HTTP request:

Suppose you have a list of trusted origins:

const trustedOrigins = ['https://trusted1.com', 'https://trusted2.com'];

You then check if the request’s origin is within that list:

const origin = request.getHeader('Origin');
if (trustedOrigins.includes(origin)) {
  response.setHeader('Access-Control-Allow-Origin', origin);

This JavaScript snippet sets the Access-Control-Allow-Origin header to the value of the request’s Origin header if it’s found within trustedOrigins.

Scenario 3: Any Origin

In some cases, you may want to allow any origin to access your resources. To do this, you can use the wildcard character *:

Access-Control-Allow-Origin: *

Note: Be cautious when using * with credentials. The specification does not allow the Access-Control-Allow-Origin header to be * when the Access-Control-Allow-Credentials header is true.

Scenario 4: Credentials

If you wish to allow credentials, then you cannot use *. Instead, specify the origin explicitly and include Access-Control-Allow-Credentials: true:

Access-Control-Allow-Origin: https://trusted.com
Access-Control-Allow-Credentials: true

With this response, https://trusted.com is allowed to access the resource, and the browser will permit sending credentials, like cookies or HTTP authentication details.

Considerations and Caveats

While Access-Control-Allow-Origin is powerful, it’s important to be aware of some potential pitfalls:

  • Security: Use of the * wildcard should be considered carefully due to potential security implications. Allowing any origin access to your resources may expose sensitive information or potentially harmful actions.
  • Credentials: As mentioned earlier, if you wish to use credentials, you can’t use the * wildcard.
  • Preflight Requests: For certain types of requests (e.g., POST requests with certain Content-Types, or requests with custom headers), the browser will send a preflight request using the OPTIONS method. The server must respond appropriately to these preflight requests, including proper CORS headers, for the actual request to be allowed.


In a world where web applications increasingly rely on resources from diverse origins, the Access-Control-Allow-Origin header plays a crucial role in security and resource sharing. Whether you’re allowing a select list of trusted sites or opening access to any origin, understanding and correctly implementing this header is key to the successful operation of your cross-origin requests.

Was this helpful?

Thanks for your feedback!