What Is CORS (Cross-Origin Resource Sharing)?
A browser security mechanism that controls which domains can make requests to your web application. By default, browsers block cross-origin requests (requests from a different domain). CORS headers tell the browser which origins, methods, and headers are allowed.
In Laravel Applications
Configure CORS in config/cors.php. The most dangerous misconfiguration is setting allowed_origins to ["*"] (any domain) on authenticated endpoints. This allows any website to make requests to your API on behalf of your users.
Example
With Access-Control-Allow-Origin: *, a malicious website can make AJAX requests to your Laravel API endpoints, reading data and performing actions as the authenticated user.
Related Terms
Security Headers
HTTP response headers that instruct browsers how to handle your website's content securely. They protect against common attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks by telling the browser what actions are allowed.
Cross-Site Request Forgery (CSRF)
An attack where a malicious website tricks a user's browser into performing an unwanted action on a site where the user is authenticated. The browser automatically sends cookies with the request, so the target site processes it as a legitimate action from the user.
Monitor Your Laravel Application's Security
StackShield continuously checks your Laravel application from the outside, catching security issues before attackers find them.
Start Free Trial