Access-Control-Allow-Origin

===========================

Overview

The [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>) header is an HTTP response header that specifies which origins (domains, protocols, or port numbers) are allowed to make requests to a web server. This header plays a crucial role in controlling Cross-Origin Resource Sharing (CORS), a security feature implemented in web browsers to prevent malicious scripts from making unauthorized requests on behalf of the user.

History

The [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>) header was introduced in HTTP/1.1 as part of the Request-Response model, and it has been maintained through subsequent updates and extensions. The original purpose of this header was to Allow web servers to control which origins can make requests to their resources (such as images or scripts). Over time, its functionality expanded to include allowing certain types of data to be returned in response to requests from specific origins.

Syntax

The syntax for the [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>) header varies depending on the version of the HTTP specification being used. Here are some common variants:

1.0 (HTTP/1.0): [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>): *
2.0 (HTTP/1.1): [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>): *; <a href="/Origin" class="missing-article">Origin</a>: *; <a href="/Allow" class="missing-article">Allow</a>: *; Expires: *; <a href="/Cache-Control" class="missing-article">Cache-Control</a>: *; <a href="/Pragma" class="missing-article">Pragma</a>: * [1]
3.0 (HTTP/2): [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>): *; <a href="/Origin" class="missing-article">Origin</a>: *; <a href="/Allow" class="missing-article">Allow</a>: *; <a href="/Content-Security-Policy" class="missing-article">Content-Security-Policy</a>: *

Variations

*: This is the default value for the [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>) header and means that all origins are allowed.
; Origin: Specifies a single Origin (domain, protocol, or port number) to be allowed. If no value is specified, it defaults to “*”.
; Allow: Specifies a list of specific origins from which requests should be permitted. The format is <a href="/Allow" class="missing-article">Allow</a>: "origin1", "origin2".
; Expires: Specifies the maximum age for the response in seconds.
; Cache-Control: Specifies additional caching options for the response.
; Pragma: Similar to the <a href="/Cache-Control" class="missing-article">Cache-Control</a> field, but older browsers may interpret it as a request header rather than a response header.

Example Usage

Here’s an example of how you might use the [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>) header in your web application:

[HTTP](/HTTP)/1.1 200 OK
[Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>): *
Content-Type: text/html; charset=UTF-8

In this example, all origins are allowed to access the resource (i.e., *). The response also includes a Content-Type header with an ASCII value for UTF-8 encoding.

Security Considerations

The [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>) header can be used to ensure that sensitive data is not accessed by unauthorized parties. However, it’s essential to note that this header does not Allow all types of resources to be shared from a specific Origin. Some restrictions may apply, such as:

Scripting restrictions: The Content-Type response header might specify that only scripts can be executed on the resource.
Image restrictions: Some image sources (e.g., images within an iframe) cannot be accessed via CORS.

To implement these security measures effectively, you should consult your browser’s documentation and adjust the [Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>](/Access-Control-<a href="/Allow" class="missing-article">Allow</a>-<a href="/Origin" class="missing-article">Origin</a>) header according to their specific requirements.