Linkedin
Terms & PrivacySupport
Web Security Made Easy: How SOP and CORS Protect Your Data - Featured Image
Web development5 min read

Web Security Made Easy: How SOP and CORS Protect Your Data

Web security is no joke. Think about it - would you leave your house unlocked with a "Free Stuff Inside" sign hanging on the door? Of course not! On the internet, Same-Origin Policy (SOP) works like that locked door, and CORS (Cross-Origin Resource Sharing) is basically the key that only works for people you've approved.

I've spent countless hours banging my head against CORS errors, so I figured I'd break down what's actually happening and save you some frustration. Let's dive into SOP, CORS, and all those annoying errors you hit when working with third-party APIs.

What is Same-Origin Policy (SOP)?

The Same-Origin Policy is essentially the internet's bouncer. Browsers implement this security feature to prevent web pages from making requests to different origins unless they match exactly. Without SOP, any sketchy website could access sensitive data from other tabs you have open. Imagine your bank details just sitting there, available to any random site!

Breaking down "origin"

To understand what "same origin" actually means, we need to look at the three components that make up an origin:

  1. Protocol: http, https, ftp... you know the drill

  2. Domain: The actual website name, like example.com

  3. Port: Usually 80 for http and 443 for https, but there are others

If ANY of these three differ between two URLs, they're considered different origins.

For example:

  • https://example.com:443/page1Same origin as https://example.com:443/page2

  • http://example.com/page1 Different origin from https://example.com/page2 (protocol differs)

How Same-Origin Policy works

SOP puts strict controls on what data web pages can access across different origins. You can only access cookies for your own origin. LocalStorage and SessionStorage are origin-specific, so each domain gets its own storage space without others being able to peek inside. Scripts from one origin can't access the DOM of pages from another origin. And for developers, AJAX and Fetch requests across origins are blocked unless the server explicitly allows them.

When SOP gets in the way

We've all been there - you're making what seems like a simple request from your frontend to some third-party API, and boom! That dreaded CORS error pops up. Don't panic though - this is exactly where CORS comes to the rescue.

What is CORS?

CORS is a security mechanism that allows (or restricts) resources on a web server to be requested from a different domain. It's like giving special permission to certain websites to access your server's data. Without CORS, web pages would be completely trapped in their origin-sandbox, unable to talk to external APIs, CDNs, or other resources.

Why CORS matters

CORS matters because it adds flexibility to the Same-Origin Policy, which is very strict by default. It makes web development more practical. CORS enables controlled resource sharing by letting servers whitelist specific domains they trust. It also prevents cross-origin attacks by blocking unauthorized requests, helping protect against threats like Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS).

How CORS works

When your browser tries to make a cross-origin request, it sends an Origin header to the server, basically saying "Hey, I'm coming from this domain." The server then decides whether to play ball, responding with specific CORS headers like Access-Control-Allow-Origin if it's cool with your request.

CORS workflow

Simple requests: These are basic requests (GET, POST, HEAD) that don't need special handling.

  • If the server returns an Access-Control-Allow-Origin header matching your origin, you're good to go!

Preflight requests: These are like permission slips. Before sending certain types of requests (like DELETE or ones with custom headers), your browser first asks "Is it okay if I do this?"

  • The browser sends a preflight request using the OPTIONS method

  • If the server responds with the right headers, your browser proceeds with the actual request

Important CORS headers

  • Access-Control-Allow-Origin: Specifies which origins can access the resource

  • Access-Control-Allow-Methods: Lists which HTTP methods are allowed

  • Access-Control-Allow-Headers: Indicates which custom headers can be used

  • Access-Control-Allow-Credentials: Determines if cookies or auth headers can be included

Common CORS errors and fixes

Using a proxy server: This is like saying "Fine, I'll handle this myself." Your server makes the request to the API, bypassing CORS altogether.

app.use("/api", (req, res) => {
  const url = "https://third-party-api.com" + req.url;
  req.pipe(request(url)).pipe(res);
});

CORS-Anywhere: You can use public proxy services as a quick workaround:

fetch(
  "https://cors-anywhere.herokuapp.com/https://third-party-api.com/endpoint"
);

Server-side request: Make requests from your backend instead of directly from the frontend:

app.get("/api/data", async (req, res) => {
  const response = await axios.get("https://api.example.com/data");
  res.json(response.data);
});

Ask the API provider: Sometimes the simplest solution is just asking nicely. Contact the API provider and ask them to enable CORS for your domain.

JSONP: This is an older technique that works for GET requests by using script tags to load data from another origin.

The gatekeeper header

This header is the backbone of CORS. If it's missing or set up wrong, your browser will block cross-origin requests faster than you can say "CORS error." Servers use this header to tell which domains can access their resources, keeping out unwanted visitors while letting the right ones through.

Security checkpoints

Think of a preflight request as TSA screening before you board a plane. Before sending complex cross-origin requests (PUT, DELETE, or requests with custom headers), your browser sends an OPTIONS request to check if you're allowed to proceed. If the server says yes, your actual request goes through. If not, you're stuck at security.

Dealing with API CORS errors

You're building your app and need data from an external API. You try to fetch it, and bam - CORS error. Here's what you can do:

  1. Use a proxy server: Let your server handle the dirty work

  2. Public CORS proxies: Use services like CORS-Anywhere (but be careful with security)

  3. Server-side requests: Fetch data on your backend instead of directly in the browser

  4. Ask API provider for CORS support: Sometimes just asking works!

  5. CORS-enabled API gateways: Use an API gateway to manage CORS for you

  6. Browser extensions: For development only, extensions like "CORS Unblock" can help

Conclusion

It's tempting to try bypassing CORS restrictions directly in the browser, but seriously - don't do it! Browsers enforce CORS for good reasons. While workarounds like proxy servers are legit solutions, never compromise on security. CORS exists to protect users from attacks, so play by the rules and only use safe, controlled workarounds.

Remember: good security practices might seem annoying in the moment, but they're way less annoying than dealing with a security breach!

web securitycorsSOPCORS headersCORS errors

Posted on: 16/4/2025

hassaankhan789@gmail.com
Hassaan Khan
4.6k

Frontend Web Developer

Posted by





Subscribe to our newsletter

Join 2,000+ subscribers

Stay in the loop with everything you need to know.

We care about your data in our privacy policy

Background shadow leftBackground shadow right

Have something to share?

Write on the platform and dummy copy content

HomeQuestionsBlogsProductsJobsLink-loungeNewsMemesCompaniesSupport

Copyright © 2025. Shifters. All rights reserved.

Terms & Privacy
Linkedin

Be Part of Something Big

Shifters, a developer-first community platform, is launching soon with all the features. Don't miss out on day one access. Join the waitlist: