CORS (Cross-Origin Resource Sharing) allows controlled access to resources from different domains.

CORS Headers:

Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 3600

Preflight Requests: Browser sends OPTIONS request for complex requests.

Security Considerations:

• Don't use * for credentials-enabled requests
• Be specific with allowed origins
• Validate origins server-side
• Consider using CORS libraries