Any one with a little experience in web development or web security have heard of CORS (Cross Origin Resource Sharing). This is the most fundamental security header setup these days and is intended to restrict/allow resource sharing across different domains.
The browsers by default block the CORS access to other sites. To enable access to required sites, CORS must be configured for some HTTP headers. It helps to configure it properly so that website do not break or partially load.
NOTE: This security measure is applicable for both normal web browsing as well as API based HTTP requests. In this article we will discuss only the basics of this mechanism and its directives. For how it actually works, I will create a new article.
Header list and their configurations:
HTTP response headers: These configurations will be done on the web server where resources are residing
Access-Control-Allow-Origin: This takes origin list as input from which access to resources is allowed.
Access-Control-Expose-Headers: This header allows browsers access to listed headers.
Access-Control-Max-Age: Cache timeout on resource webserver
Access-Control-Allow-Credentials: This header will tell if the resource are to be accessible when credentials flag is set. This is helpful when we want to make resources in-accessible without user authenticity.
Access-Control-Allow-Methods: Which HTTP request method can be used while asking for the resource
Access-Control-Allow-Headers: Which HTTP request headers can be used while asking for the resource
HTTP request headers: These configurations will be done on the web server from where resources are being requested
Origin: name of the requester, this is included in Access-Control-Allow-Origin of the resource side
Access-Control-Request-Method: Which HTTP method will be used to request the resource. Goes hand-in-hand with Access-Control-Allow-Methods on resource webserver.
Access-Control-Request-headers: Which header will be used to request the resource. Goes hand-in-hand with Access-Control-Allow-Headers on resource webserver.