CORS (Cross-Origin Resource Sharing) is a security feature built into web browsers that blocks a webpage from making requests to a different domain unless the server explicitly allows it through special HTTP headers.
Browsers enforce a "same-origin policy" by default: JavaScript running on example.com cannot fetch data from api.otherdomain.com unless that server says it is allowed. CORS is the mechanism that relaxes this restriction in a controlled way.
When your browser makes a cross-origin request, it looks for the Access-Control-Allow-Origin header in the response. If the header includes your domain (or the wildcard *), the browser allows the response through. If the header is missing or does not match, the browser blocks the response and you see a CORS error in the console.
For certain request types (those using custom headers, PUT/DELETE methods, or credentials), the browser first sends a "preflight" OPTIONS request to check permissions before sending the actual request. The server must respond to this preflight with the appropriate CORS headers, or the real request never fires. This two-step process prevents unauthorized cross-origin modifications.
CORS errors are one of the most common obstacles developers hit when building frontends that consume external APIs. Understanding how CORS works saves hours of debugging. It also matters for API providers: setting CORS headers correctly determines who can use your API from a browser. Proxy servers and backend-to-backend calls bypass CORS entirely, since the restriction is browser-specific.
The TerminalFeed API sends Access-Control-Allow-Origin: * on every response, which means any website or application can call our endpoints directly from the browser. This design decision is explained in our Free APIs guide and our article on API rate limits.