What is CORS and how does it work?
CORS (Cross-Origin Resource Sharing) is a browser security feature that controls whether a page can make requests to a different origin (domain, protocol, or port).
Same-origin policy — by default, browsers block cross-origin requests for safety.
Server decides — the server opts in by sending Access-Control-Allow-Origin and related headers.
Preflight — for certain requests the browser first sends an OPTIONS request to check permission.
Key point: CORS is enforced by the browser, not the server — and it relaxes security, rather than adding a restriction.
CORS is server-side, NOT client-side. The browser enforces it.
Know: simple vs preflight requests, Access-Control-Allow-Origin header, and the OPTIONS preflight. Common dev solutions: proxy in dev server, CORS headers in production.