Last modified on Thu 23 Sep 2021

CORS (Cross-Origin Resource Sharing) is a mechanism for allowing web requests between domains (origins). Cross-origin requests are by default prevented by the browser same-origin policy — CORS exists to lift that restriction when required.

An excellent guide to CORS is available here. This mechanism concerns frontend and backend developers alike and should be understood by both. The omnipresence of CORS cannot be understated — if your work concerns the Web, CORS will crop up eventually. Therefore, don't hesitate to understand how it works, take your time and read the guide.


Assuming you have read the guide, you still might feel a lack of confidence as to how it works. This is not uncommon with CORS, it is one of the most misunderstood aspects of the Web. Therefore, the following list of misconceptions has been compiled to help you understand it better:

To learn more about CORS misconceptions and misconfigurations, read this article which shows how even the most popular sites fail to properly serve CORS headers.

How to set up headers

For Rack-based applications (like Ruby on Rails), rack-cors is the most popular choice for CORS headers management. Follow the gem README and make sure to read the Common Gotchas chapter.

If you're setting up CORS for environments which are accessed locally by frontend developers (like staging), add localhost to the list of allowed domains so they can send requests from their local environment.