Access-Control-Allow-Origin
The HTTP Access-Control-Allow-Origin response header indicates whether the response is shareable with requesting code from a given origin. This header is the cornerstone of the CORS protocol.
Usage
Every CORS response includes Access-Control-Allow-Origin to tell the browser whether front-end code from a specific origin is allowed to read the response. Without a matching value, the browser blocks the response from reaching JavaScript.
Servers choosing to allow access have three options: a
wildcard, an explicit origin, or null. Most production
APIs dynamically select the origin by comparing the
incoming Origin request header against an
allowlist. When the origin matches, the server echoes the
value back. Because the response changes depending on the
request, a Vary: Origin header is required so
caches store separate copies for each origin.
Values
* (wildcard)
Permits any origin to read the response. The wildcard is only valid for requests without credentials.
Access-Control-Allow-Origin: *
Note
The wildcard is incompatible with credentialed
requests. When
Access-Control-Allow-Credentials
is true, the server must return an explicit origin.
Explicit origin
A single origin value consisting of a scheme, hostname, and optional port. This is the standard approach for APIs restricted to known callers.
Access-Control-Allow-Origin: https://app.example.re
Only one origin is allowed per response. Servers
supporting multiple origins inspect the
Origin request header and reply with the
matched value, adding Vary: Origin to the response.
null
Represents an opaque or privacy-sensitive origin. Some
sandboxed documents and local file URLs
send null as
their origin.
Access-Control-Allow-Origin: null
Note
Responding with null is discouraged. Malicious
documents from sandboxed iframes also carry a null
origin, making this value easy to forge.
Example
A server dynamically mirrors the requesting origin and includes a Vary header for correct cache behavior.
Access-Control-Allow-Origin: https://app.example.re
Vary: Origin
A public CDN serving static assets to any caller uses the wildcard.
Access-Control-Allow-Origin: *
A credentialed cross-origin response pairs the explicit origin with the credentials header.
Access-Control-Allow-Origin: https://dashboard.example.re
Access-Control-Allow-Credentials: true
Vary: Origin
Takeaway
The Access-Control-Allow-Origin header controls which Origins are permitted to read a cross-origin response, making the header the primary gatekeeper of the CORS protocol.
See also
- Fetch Standard: HTTP Access-Control-Allow-Origin
- Origin
- Vary
- Access-Control-Allow-Credentials
- Access-Control-Allow-Methods
- CORS
- HTTP headers
