CORS, or Cross-Origin Resource Sharing, is a browser security mechanism that controls which web origins are allowed to make requests to a server and read the response. By default, browsers restrict cross-site data access; a service must explicitly allow it with headers such as Access-Control-Allow-Origin.
CORS matters because it helps prevent one website from silently reading sensitive data from another. If a server is configured too broadly, a malicious page may be able to send credentialed requests or expose responses that should stay private. In practice, attackers look for permissive wildcard rules, reflected origin checks, or misconfigurations that combine with cookies and sessions. Defenders use tight allowlists, avoid unnecessary credentialed cross-origin access, and pair CORS with safe cookie settings, proper authentication, and server-side authorization checks.