Web glossary

CORS, web-security, and HTTP terms — short, accurate, link-friendly. We keep these definitions deliberately plain so you can paste one into a code review without footnotes.

A

Access-Control-Allow-Origin

The HTTP response header that tells the browser which origins are allowed to read a cross-origin response.

C

CORS

Cross-Origin Resource Sharing — the browser-enforced rule that decides whether a page on one origin is allowed to read a response from another.

CORS proxy

A server-side intermediary that adds the right CORS headers so the browser stops blocking your cross-origin request.

Credentialed request

A cross-origin request that carries cookies or HTTP-auth headers. Triggers stricter CORS rules — the server can't use the wildcard origin.

O

Origin

The triple of scheme, host, and port — https://app.example.com:443 is one origin. The unit of trust the browser uses for security decisions.

P

Preflight request

The OPTIONS request the browser sends before non-trivial cross-origin calls to ask the server whether the real request is allowed.

S

Same-origin policy

The default browser rule: a page can only read responses from its own origin. CORS is the formal opt-out.

SSRF

Server-Side Request Forgery — when an attacker tricks a server into making requests on their behalf, often to internal infrastructure. The primary security risk for any CORS proxy.