CORS Security Guide

Browsers block cross-origin requests by default. Two URLs have the same origin if their protocol, host, and port all match.

`Access-Control-Allow-Origin`	Specify allowed origin(s). Never use * with credentials.
`Access-Control-Allow-Methods`	List allowed HTTP methods
`Access-Control-Allow-Headers`	List allowed request headers
`Access-Control-Allow-Credentials`	Set true only when credentials (cookies) needed
`Access-Control-Max-Age`	Cache preflight response (seconds)

関連ツール