CORS Interview Questions
Common CORS interview questions with answers.
CORS Interview Questions
Q1: What is CORS?
Cross-Origin Resource Sharing. A browser mechanism that allows servers to opt-in to cross-origin requests via headers.
Q2: What is a preflight request?
An OPTIONS request sent before non-simple requests (PUT, DELETE, custom headers) to check if the server allows them.
Q3: How do you fix a CORS error?
Configure the server to include Access-Control-Allow-Origin and related headers. Handle OPTIONS with 204.
Q4: Can you use * with credentials?
No. Specify the exact origin and set Access-Control-Allow-Credentials: true.
Q5: Is CORS a client-side or server-side issue?
Server-side. The server must include the correct headers. The browser enforces CORS.
Q6: What triggers a preflight?
Methods other than GET/POST/HEAD, custom headers, or application/json content type.
The Takeaway
CORS interview questions: definition (cross-origin sharing), preflight (OPTIONS before non-simple), fix (server headers), * with credentials (not allowed), client vs server (server-side), and preflight triggers (PUT/DELETE/custom headers/JSON).
Cross-Origin Resource Sharing. A browser security mechanism that allows servers to opt-in to cross-origin requests by including Access-Control-Allow-Origin and related headers.
An OPTIONS request sent before non-simple requests (PUT, DELETE, PATCH, custom headers, application/json). The browser checks if the server allows the method, headers, and origin before sending the actual request.
Configure the server: Access-Control-Allow-Origin (your origin), Access-Control-Allow-Methods, Access-Control-Allow-Headers. Handle OPTIONS preflight with 204. Use the cors middleware in Express. Use a proxy in development.
Server-side. The server must include the correct CORS headers. The browser enforces CORS by checking the headers. You cannot fix CORS from the client side (the server must allow your origin).
Non-simple requests: methods other than GET/POST/HEAD (PUT, DELETE, PATCH), custom headers (Authorization, X-Custom), or Content-Type application/json. Simple requests (GET, POST with form data) do not trigger a preflight.
Ready to master React completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master React
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

