GameAPIsIntermediateCORS, browser security boundaries, and preflight response designCORSHTTPbrowser securitypreflightAPIsGamePractice CORS backend decisions with an interactive game about preflight requests, allowed origins, credentials, exposed headers, Vary: Origin, and safe browser API access.CORS Preflight PilotAPIsIntermediateCORS, browser security boundaries, and preflight response design/games/cors-preflight-pilot/
Guide browser API requests through CORS decisions covering origins, preflight, credentials, exposed headers, and cache safety.
Concept
CORS, browser security boundaries, and preflight response design
Difficulty
Intermediate
Play time
6-9 minutes
Path
Foundations
practice/cors-preflight-pilotCORS decision score
Play, get feedback, save local progress, and optionally submit a leaderboard score.
Concept explanation
CORS bugs are frustrating because the browser, API gateway, cache, and application server all seem involved. This game turns those moving parts into short dispatch decisions so you can learn the backend side of safe cross-origin access.
Your local progress
0 XP0 games played0 completed
Progress, review history, and best scores are stored in this browser with localStorage.
Use the controls below. Feedback appears immediately, and final scores are stored locally.
Leaderboard
Top 10 submitted scores. No account required.
Loading leaderboard...
Finish the game to load your latest local score.
Learning objectives
Explain when browsers send CORS preflight requests.
Choose safe Access-Control headers for origins, credentials, methods, and headers.
Avoid common CORS mistakes such as wildcard credentials and unsafe origin reflection.
How to play
Read the browser request, origin, credential mode, and API context.
Choose the CORS response or policy that grants the narrowest safe access.
Use the explanation to connect browser behavior with backend headers.
Scoring
Correct decisions add points and build a streak bonus.
Incorrect decisions reveal the unsafe assumption.
Finishing saves your best local CORS decision score.
Backend concept notes
CORS is a browser-enforced read boundary. It does not replace authentication or authorization, but a bad CORS policy can let an attacker-controlled origin read authenticated responses.
Backend APIs should be explicit about allowed origins, credential support, request headers, exposed response headers, and cache variation. Preflight is part of the contract, not noise to ignore.
Common mistakes
Reflecting any Origin header for sensitive authenticated APIs.
Combining wildcard origins with credentials.
Forgetting Vary: Origin when CORS responses differ by origin.
Putting response headers in Access-Control-Allow-Headers instead of Access-Control-Expose-Headers.
Related Backend Study Lab articles
Use the main site for deeper reading after playing.