Backend concept

CORS & Browser Boundaries

Browser cross-origin read permissions, preflight requests, credentials, exposed headers, and cache variation.

Practice this concept Review missed items Back to concept map

Why this matters

CORS is not server authorization; it is a browser boundary that can leak authenticated responses when misconfigured.

How to practice

Practice exact allowlists, credential rules, OPTIONS handling, and Vary: Origin.

0 active misses 0 reviewed 0 games completed

Local review for this concept

No local review items for this concept yet.

Start a focused review session for CORS & Browser Boundaries.

Learning objectives

  • Explain when browsers send CORS preflight requests.
  • Choose safe Access-Control headers for origins, credentials, methods, and headers.
  • Avoid common CORS mistakes such as wildcard credentials and unsafe origin reflection.
  • Separate authentication failures from authorization failures.
  • Recognize token expiration, missing scopes, CSRF risk, and session fixation risk.
  • Apply object-level authorization instead of trusting a valid token alone.

Common mistakes to avoid

  • Reflecting any Origin header for sensitive authenticated APIs.
  • Combining wildcard origins with credentials.
  • Forgetting Vary: Origin when CORS responses differ by origin.
  • Putting response headers in Access-Control-Allow-Headers instead of Access-Control-Expose-Headers.
  • Treating a valid JWT signature as permission for every object or action.
  • Returning 401 for authenticated users who lack scope or ownership.

Games for CORS & Browser Boundaries

Start with the first game, then use local review history to revisit missed decisions.

APIs Intermediate

CORS Preflight Pilot

Guide browser API requests through CORS decisions covering origins, preflight, credentials, exposed headers, and cache safety.

Time
6-9 minutes
Concept
CORS, browser security boundaries, and preflight response design
  • Foundations
  • CORS
  • HTTP
  • browser security
Play CORS Preflight Pilot
Auth Intermediate

Auth Token Inspector

Inspect authentication scenarios and choose safe backend decisions for tokens, scopes, sessions, CSRF, and object-level authorization.

Time
6-9 minutes
Concept
Authentication, authorization, sessions, and token safety
  • Foundations
  • Auth
  • JWT
  • sessions
Play Auth Token Inspector
APIs Beginner

HTTP Status Defender

Choose the correct HTTP status code for realistic backend scenarios and learn the response semantics behind each answer.

Time
5-8 minutes
Concept
HTTP status codes and response semantics
  • Foundations
  • HTTP
  • REST
  • status codes
Play HTTP Status Defender