Process Flow - CORS configuration

Client sends request

↓

Browser checks CORS policy

↓

Browser sends OPTIONS preflight request?

No→Send actual request

Yes↓

Server responds with CORS headers

↓

Browser checks headers

↓

Allow or block request based on CORS

↓

Client receives response or error

This flow shows how a browser and server interact to enforce CORS rules, allowing or blocking cross-origin requests.

Execution Sample

AWS

PUT /bucket-name
{
  "CORSConfiguration": {
    "CORSRules": [{
      "AllowedOrigins": ["https://example.com"],
      "AllowedMethods": ["GET", "POST"]
    }]
  }
}

This code sets a CORS policy on an AWS S3 bucket allowing GET and POST from https://example.com.

Process Table

Step	Action	Request Type	CORS Headers Sent	Browser Decision	Result
1	Client sends GET request from https://example.com	GET	Origin: https://example.com	Check if origin allowed	Proceed to send request
2	Browser sends OPTIONS preflight for POST	OPTIONS	Origin: https://example.com, Access-Control-Request-Method: POST	Wait for server response	Waiting
3	Server responds with CORS headers	OPTIONS Response	Access-Control-Allow-Origin: https://example.com, Access-Control-Allow-Methods: GET, POST	Check if POST allowed	Allowed
4	Browser sends actual POST request	POST	Origin: https://example.com	Check if origin allowed	Proceed to send request
5	Server responds to POST	POST Response	Access-Control-Allow-Origin: https://example.com	Allow response	Response received
6	Client sends GET request from https://malicious.com	GET	Origin: https://malicious.com	Check if origin allowed	Blocked
7	Browser blocks response	N/A	N/A	Origin not allowed	Error: CORS policy blocks request

💡 Execution stops when browser blocks request from disallowed origin or completes allowed request.

Status Tracker

Variable	Start	After Step 1	After Step 3	After Step 5	After Step 7
Origin	N/A	https://example.com	https://example.com	https://example.com	https://malicious.com
AllowedOrigins	["https://example.com"]	["https://example.com"]	["https://example.com"]	["https://example.com"]	["https://example.com"]
Request Allowed	false	true	true	true	false
Response Received	false	false	false	true	false

Key Moments - 2 Insights

Why does the browser send an OPTIONS preflight request before the actual POST?

Why is the request from https://malicious.com blocked?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution table, what CORS header does the server send in response to the OPTIONS preflight?

AAccess-Control-Allow-Methods: GET, POST

BAccess-Control-Allow-Origin: https://example.com

CAccess-Control-Allow-Headers: Content-Type

DAccess-Control-Allow-Credentials: true

Concept Snapshot

CORS configuration controls which origins can access resources.
Browsers enforce CORS by sending preflight OPTIONS requests for some methods.
Server responds with headers like Access-Control-Allow-Origin and Access-Control-Allow-Methods.
If origin or method not allowed, browser blocks the request.
Set CORS on AWS S3 via CORSConfiguration with AllowedOrigins and AllowedMethods.

Full Transcript

CORS configuration is a security feature that controls which websites can access resources on a server. When a client from a different origin tries to access a resource, the browser checks the CORS policy. For some requests, it sends a preflight OPTIONS request to ask the server if the actual request is allowed. The server responds with headers indicating allowed origins and methods. If the origin or method is not allowed, the browser blocks the request. In AWS S3, you configure CORS by setting AllowedOrigins and AllowedMethods in the bucket's CORSConfiguration. This example showed a client from https://example.com allowed to GET and POST, while a client from https://malicious.com was blocked.