CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls how web pages from one origin (domain, protocol, and port combination) can request resources from a different origin. By default, browsers enforce the same-origin policy, which blocks cross-origin requests. CORS provides a way for servers to explicitly allow specific cross-origin requests.
CORS works through HTTP headers. When a browser makes a cross-origin request, it includes an Origin header. The server responds with Access-Control-Allow-Origin and related headers that specify which origins are permitted. For complex requests, the browser first sends a preflight OPTIONS request to check permissions before sending the actual request. Web security books on Amazon explain the mechanism.
For URL shortening services, CORS configuration is important for the API endpoints that create and manage short URLs. If the API is called from JavaScript running on a different domain (which is common for embedded shortening widgets), the server must include appropriate CORS headers to allow the request.
Common CORS mistakes include using wildcard (*) for Access-Control-Allow-Origin in production (which prevents sending credentials), not handling preflight requests correctly, and exposing sensitive headers unnecessarily. API security books on Amazon cover secure configuration.