DEV Community

Cover image for ✋🏼🔥 CS Visualized: CORS

✋🏼🔥 CS Visualized: CORS

Lydia Hallie on July 27, 2020

It’s every developer’s frustration once in a while to see that big red Access to fetched has been blocked by CORS policy error in your console! 😬 A...
vaibhavkhulbe profile image
Vaibhav Khulbe

This CS Visualized series is unique and a bomb because of those wonderful diagrammatical GIFs/explanation. I want to thank you for all the hard work you put in your articles.

lydiahallie profile image
Lydia Hallie Author

Thank you! 😃

ajiteshsingh profile image
Ajitesh Singh


jreinhold profile image
Jeppe Reinhold

This is amazing - great down to earth explanation of how CORS works, but just as important, WHY CORS works. You rock!

If I may add, I think it's missing one of the most important parts of CORS, namely that it is NOT a reliable security measure. As it is an opt-in feature by the browsers, it can easily be bypassed by requesting with curl or Postman, or just by installing a browser extension that disables the policy client-side.
I've seen many software engineers mistakenly saying "oh, we've secured our endpoints with CORS, no unauthorized request can happen" - which is not true. It may prevent the user from being tricked into insecure flows (as you explained), but it will not stop hackers from explicitly trying to make malicious requests.

yashsway profile image
Yash Kadaru

I love when anything is explained visually. This is so well made! Thank you!

kewbish profile image
Emilie Ma

Really clear article - gj!

owfm profile image

Sorry if I'm missing something... But in your very first example:

Let’s say we’re trying to fetch some user information on our website from a server that’s located at

And it goes through fine... How come this is not a cross origin request? It's a different domain and subdomain isn't it?

caioiglesias profile image
Caio Iglesias

You are correct. It's just an intro showing a request that works followed by one that fails. They seem similar, but are being affected by the same-origin policy. has to be returning Access-Control-Allow-Origin: since the second example denies the request coming from

epic_qi profile image
Epic Lee • Edited

I believe that's a typo. Should both be, otherwise it's a cross-origin request

tommulkins profile image
Tom Mulkins • Edited

Those animations really make it easy to digest the topic.

I might have missed it above but important to note that Access-Control-Allow-Origin allows for a single origin value. Otherwise the server will need some middleware to return the header with the right origin value when more than one origin is allowed.

lydiahallie profile image
Lydia Hallie Author

Ohhh yes! I made the mistake once by padding an array instead haha. I'll update the post accordingly asap :)

pavelloz profile image
Paweł Kowalski • Edited

Let’s say we’re trying to fetch some user information on our website from a server that’s located at!
Let's try the exact same request but from another domain. Instead of making the request from, we’re now making the request from a website located at

Either i dont understand the next couple sentences explaining how to tell if request is cross origin, or there is an error here, because it looks to me that both requests have been cross origin ;)

jeromefitzpatrick profile image

@Pawel Kowalski

You are correct - either this is an error or maybe allows the origin!

hanskerkhof profile image
Hans Kerkhof

Great article, thanks! This article explains it so beautifully that I can send to colleagues back-enders who have a glassy look full of incomprehension when i mention I need CORS in the frontend. (and that happens more often than you think ;-) )

prof3ssorst3v3 profile image
Steve Griffith

Very well done.
One thing I would suggest pointing out to people is the HTTP Method OPTIONS for the Preflight request, and what that means on the server.
The OPTIONS method gives us a great hook to run server-side code that is specific to these preflight requests.

serializator profile image
Julian van den Berkmortel

I guess I fell in love with the CS Visualised series right now, can't wait to read many more! 🎉

When I read about the "Origin" which is set on the request I thought "why not spoof it", obviously immediately after that I thought "if that would work I'd be Hans Klok" (I don't know whether that translation of the Dutch phrase works in English) 😅

patarapolw profile image
Pacharapol Withayasakpunt

Does CORS affect cURL or wget? Or, does enforcing CORS help?

lydiahallie profile image
Lydia Hallie Author • Edited

Good question! By default, CORS is only enabled in user agents (e.g. a browser). So if I were to send the exact same request using cURL in say the terminal, this request wouldn't automatically contain the Origin header and CORS wouldn't be enabled.

If you want to test whether your server has CORS enabled, you can manually add the Origin header to the request. If the response contains the Access-Control-Allow-Origin header, you know it's working 😃

a0viedo profile image
Alejandro Oviedo

I wanted to say first that I'm a big fan of your Visualized series! The amount of details and the quality of the animations is extraordinary.

Not-CORS-related question: what did you used for rendering the "SHORCUTS" table? is it plain HTML? It seems like anchor for the "Credentials" section is not working.

charanweb profile image

Im a beginner but I understand so much only because of Animated/Gifs. Thanks is not enough for efforts and Hardwork. But Im jobless. I will definitely show my Gratitude when i get job. Thank you so much Mam❤️

mariofix profile image
Mario Hernandez

Very very easy to understand, thanks!!

gitsanto profile image

Your visual explanation is perfect for me to understand. Thank you @lydia.

tcelestino profile image
Tiago Celestino

Great article.

charan1692_10 profile image

Best articles with best GIF's . More power to you Lyndia.
Request : Can you write Blogs on Frontend Architecture.

beginwithjs profile image

How did you make those beautiful gifs ?It is awesome.Great Job!

mitchobrian profile image
Michael Palmer


aaronjoemoreno profile image
aaron moreno

Amazing post. I didn’t realize you wrote this Lydia until I saw your pic at the end. Just saw your honeypot vid the other day. So awesome

thatiitgirl profile image

WOW! I'm amazed with the clear explanation. Also Lydia, Could you tell me what software you are using for animations. I so want to work on that. :) . Please !!

avcwisesa profile image

Hi! This is an amazing post! I have to ask, how do you create these cool visualizations? Interested to try it out 😆

rbaswmbrandel profile image
Marcus Brandel • Edited

Is it possible/common that some server side error could occur which would prevent the full response from being generated so the Access-Control-Allow-Origin header is never returned on the response. Resulting in the dreaded CORS error. Even if the origin IS allowed?

iamnihal profile image

This is so nicely written. Thanks for this awesome article.

artoodeeto profile image

I stand by my words. "YOU'RE THE GWOAT". Thank you for this.

markgoho profile image
Mark Goho

They say there are two types of web developers: those that don't understand CORS and dirty, rotten liars. Thanks for proving there's a third option 😎

imshravan profile image
Shravan Kumar B

How do you create such apt animations?

Article was so neat and clean. Clever way of writing 👌

reythedev profile image
Rey van den Berg

Thank you! These gifs give my brain life!
Fantastic explanations👏

kpulkit29 profile image
Pulkit Kashyap

Use eBookmarker to save important topics of this blog and directly navigate to them the next time you visit.

kpulkit29 profile image
Pulkit Kashyap

I am always looking forward to reading your blogs.

yuripetyhov profile image

Thank you for it. It is amazing, I have problems with CORS all the time, but now I have perfect tutorial)

codespresso profile image

Really good explanation, you are a visual learner, aren't you? :D

djdmorrison profile image

Great article, you made what can be a tricky concept so clear!

ezrahnyanat profile image
Ezrah Nyanat

Another great and clear explanation! Thanks for taking the time to put this together :)

chidioguejiofor profile image
Chidiebere Ogujeiofor

Really nice one. I'm curious to know what tool you used to create the visualisation

yonidavidson profile image
Yoni Davidson

Very nice work, I really enjoyed the visualisations !

zahirinatzuke profile image
Yohan González

Muy buena la explicacion, me ha encantado

epover profile image

I think your work is wonderful! Update point Python 😂

roshnet profile image
Roshan Sharma • Edited

I always had trouble understanding why do preflight requests even exist. 😅
Thanks for taking the time time to create those wonderful GIFs. Please keep up the good work.

ramesh profile image
Ramesh Elaiyavalli

Great and clear post Lydia. 👍✌️

Check out

A nice and quick way to check CORS issues.

andrewbaisden profile image
Andrew Baisden

Good article easy to follow those animations make it a joy to read thanks.

skychx profile image

Hi, can I translate your article into Chinese? I'll mark the top of the article with a link to your original article.😊

joewalker profile image
Joe walker

Can I translate this blog to Thai language?

felipesaev profile image

how to maker that gifs ?

mkubdev profile image

You can use Screen2Gif :)

chaitu05 profile image
kumar m • Edited

Thank you for the article. I have been in web dev for few years but didn't know about simple and preflighted requests.
Can we fake an "origin" header by manually adding it and access resources..?

lydiahallie profile image
Lydia Hallie Author

Origin is actually a "forbidden header", you can't manually set it! 😊 We can't fake the Origin header that way.

However, making the exact same request outside a browser (eg. cURL) would give you access to the resources!

hamid814 profile image
hamidbakhtiari • Edited

awesome stuff there for sure!

ravics09 profile image
Ravi Sharma

Great job💯

island profile image

Thank you~

cpothirajan profile image

Hi, thanks for this wonderful explanation. I do have a basic question that when you say same domain does it mean always on the same computer?

kpulkit29 profile image
Pulkit Kashyap

No it does not mean that

drarig29 profile image
Corentin Girard

What do you use to make your animations? After Effects?

paulorcv profile image
Paulo Roberto Campos de Vasconcelos

Great work! Thank you!

jakemetzdev profile image
Jake Metz

One of my favorite follows on the web. Thank you for all the hard work you put into the animated gifs! The visual aspect is HUGE for us visual learners

hamodey85 profile image
Mohammed Almajid

I want to thank you for this great article.
what did you use to make this gif images?