across different origins, in the current interconnected day and age, all modern browsers have support for Cross Origin requests. This makes it all the more important that we pay attention to how we handle requests coming in to Zoomcar outside of our domains.
Value of the Access-Control-Allow-Origin header can be either a wildcard or an origin value • Access-Control-Allow-Origin: * • Access-Control-Allow-Origin: http://localhost:8080 • * header doesn’t necessarily mean that it’s publicly accessible. There may be additional forms of authentication on the resource
server for permission to make the actual request when using non simple methods or adding custom headers • protects servers from receiving unexpected requests. • takes the form of an HTTP OPTIONS method with an Origin and Access-Control-Request-Method header. • The server can grant permissions to use certain HTTP methods by using the Access-Control-Allow-Methods header. The server can also grant permission to use certain HTTP headers by using the Access-Control-Allow-Headers header. • The preflight result cache is a performance optimization that helps reduce the number of preflight requests made to a particular endpoint.
withCredentials property to include cookies on cross-origin requests. • The Access-Control-Expose-Headers header can be used to expose response headers to the client.