CORS, or Cross-Origin Resource Sharing, is a security mechanism implemented by web browsers to control how resources on a web page can be requested from a domain other than its own. This is a key security measure to prevent Cross-Site Request Forgery (CSRF) attacks and allow servers to indicate which origins are allowed to access their resources.
When a browser makes an HTTP request to a different origin than the one that served the original page, it emits a CORS request. At this point, the target origin server can include specific CORS headers in the HTTP response, indicating whether the request is allowed or not.
Core CORS headers include:
Access-Control-Allow-Origin: This header indicates which origins are allowed to access the resources. Can contain a single value (such as "https://example.com") or "*", indicating that any source has permission.
Access-Control-Allow-Methods: This header specifies the HTTP methods allowed when the resource is accessed from the permitted origin. Examples of methods include GET, POST, PUT, DELETE, etc.
Access-Control-Allow-Headers: This header lists the HTTP headers allowed when making the actual request.
Access-Control-Allow-Credentials: Indicates whether the request can be made with credentials, such as cookies or authorization headers. If the value is "true", the browser allows the request to include credentials.
Access-Control-Expose-Headers: This header allows specified headers to be exposed client-side.
Additionally, CORS defines two types of requests:
Simple Requests: These are requests that meet certain criteria, such as using only allowed methods and not including custom headers. These requests do not trigger a preflight request.
Preflighted Requests: These are more complex requests that require a preflight request to determine whether the actual request is secure. The browser sends an HTTP OPTIONS request to verify that the server accepts the actual request.
CORS is a fundamental part of web security, enabling the creation of secure, interactive web applications that can interact with resources from different sources in a controlled manner.
Nenhum comentário:
Postar um comentário