CORS is a browser security mechanism, not a server one. What the Origin header and preflight checks actually do, what CORS protects against, and why it is not CSRF protection.
When I first learned about CORS, I had trouble understanding it because I couldn’t figure out how this protected the server and I couldn’t understand why you would do this just for the client 😄
When I first learned about CORS, I had trouble understanding it because I couldn’t figure out how this protected the server and I couldn’t understand why you would do this just for the client 😄