CORS, CSP and Secure Header Policies

Before a request ever reaches your business logic, the browser and your server negotiate trust through HTTP headers. Two families dominate API hardening:

• CORS (Cross-Origin Resource Sharing) decides which browser origins may read your responses.
• Security response headers (CSP, HSTS, X-Frame-Options, etc.) tell the browser how to constrain the page it renders.

The goal of this lesson is to lock down cross-origin access and inject hardened headers without breaking legitimate clients. Misconfigure them and you either leak data to any website or block your own frontend.

CORS is enforced by the browser, not your server. Your API simply emits Access-Control-* headers; the browser decides whether to expose the response to JavaScript.

• A simple request (GET/POST with safe headers) is sent immediately; the browser checks Access-Control-Allow-Origin on the response.
• A preflight OPTIONS request is sent first for non-simple methods (PUT, DELETE) or custom headers like Authorization.

Critically: CORS does not protect server-to-server calls, curl, or mobile apps. It is purely a browser same-origin relaxation mechanism.