HTTP Cross Origin and Access Control Server: responding to a CORS request


The response to a CORS request must include an Access-Control-Allow-Origin header, which dictates what origins are allowed to use the CORS resource. This header can take one of three values:

  • An origin. Doing this permits requests from that origin only.
  • The character *. This permits requests from any origin.
  • The string null. This permits no CORS requests.

For example, on reception of a CORS request from the origin, if is an authorized origin, the server would send back this response:

HTTP/1.1 200 OK

An any-origin response would also permit this request, i.e.:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *