I’ve heard developers say “I need to add CORS to my API for security” more times than I can count. That’s backwards. CORS doesn’t make your API more secure. In fact, it makes it less restricted. The security feature is the Same-Origin Policy. CORS is the controlled exception.

Let me clear this up once and for all.

Same-Origin Policy (SOP)#

The Same-Origin Policy is a built-in browser security mechanism. It’s been around since the early days of the web. Here’s what it does: