Security

CORS

A browser security rule controlling which websites are allowed to call your API.

CORS (Cross-Origin Resource Sharing) is the browser's bouncer: by default it blocks your frontend on one domain from calling an API on a different domain unless that API explicitly says 'this origin is allowed.' Almost every vibe coder meets CORS as a scary red console error like 'blocked by CORS policy' — and it's not your frontend's bug, it's the *server* that needs to send the right `Access-Control-Allow-Origin` header. The fix is usually a few lines of config on the backend, or routing the call through your own server so it isn't cross-origin at all.

Related terms