A
Access-Control-Allow-Origin
The HTTP response header that tells the browser which origins are allowed to read a cross-origin response.
C
CORS
Cross-Origin Resource Sharing — the browser-enforced rule that decides whether a page on one origin is allowed to read a response from another.
CORS proxy
A server-side intermediary that adds the right CORS headers so the browser stops blocking your cross-origin request.
Credentialed request
A cross-origin request that carries cookies or HTTP-auth headers. Triggers stricter CORS rules — the server can't use the wildcard origin.
O
Origin
The triple of scheme, host, and port — https://app.example.com:443 is one origin. The unit of trust the browser uses for security decisions.
P
Preflight request
The OPTIONS request the browser sends before non-trivial cross-origin calls to ask the server whether the real request is allowed.
S
Same-origin policy
The default browser rule: a page can only read responses from its own origin. CORS is the formal opt-out.
SSRF
Server-Side Request Forgery — when an attacker tricks a server into making requests on their behalf, often to internal infrastructure. The primary security risk for any CORS proxy.