CORS Headers and Preflight Requests

Access-Control-Allow-Origin: Specifies which origins can access the resource

Access-Control-Allow-Origin: https://trusted-app.example.com
Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: Defines allowed HTTP methods

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Access-Control-Allow-Headers: Specifies allowed request headers

Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With

Access-Control-Allow-Credentials: Indicates whether credentials can be included

Access-Control-Allow-Credentials: true

Access-Control-Max-Age: Caches preflight response

Access-Control-Max-Age: 86400

Access-Control-Expose-Headers: Makes headers available to JavaScript

Access-Control-Expose-Headers: X-Total-Count, X-Page-Number