What CORS is and why it matters

Last update:

May 18, 2026

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls whether JavaScript running on one origin is allowed to call an HTTP API on another origin.

Overview

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls whether JavaScript running on one origin (for example https://app.example.com) is allowed to call an HTTP API on another origin (for example https://express-mcp-service.adobe.io).

Key points for MCP users:

CORS is only enforced by browsers.
Server-to-server calls (back-end MCP clients, CLI tools, IDEs) are not restricted by CORS.
If you are calling an MCP endpoint from a web page or SPA, CORS configuration on the MCP server determines whether the browser allows the request.
Even valid, authorized requests can fail in the browser if CORS is misconfigured, resulting in errors like:
- “CORS policy: No Access-Control-Allow-Origin header is present”
- “CORS policy: Response to preflight request doesn’t pass access control check”

For MCP, this typically affects:

Web-based MCP hosts or agent UIs that call .../mcp directly from the browser.
In-browser MCP tooling (for example, custom dashboards, admin consoles, or web extensions) that need to talk to your MCP server over HTTPS.

MCP requests and CORS

A browser enforces CORS differently depending on the type of request:

Simple requests (GET, some POSTs with limited headers or body types)
Preflighted requests (most POST/PUT/DELETE with JSON bodies and custom headers)

MCP traffic almost always falls into the preflighted category because:

You are using POST with a JSON-RPC body (Content-Type: application/json).
You typically send custom headers for authentication, such as:
- Authorization: Bearer ...
- sessionid: ...
- x-gw-ims-org-id: ...

This means:

Before the actual MCP request, the browser sends an OPTIONS preflight to the MCP server.
The server must respond with appropriate CORS headers on the OPTIONS response and on the actual MCP response.
If either step is wrong or incomplete, the browser blocks your JavaScript code from reading the response, even if the server processed the request.

Safe CORS configuration principles

When enabling CORS on your MCP HTTP endpoint, you want to:

Allow only trusted origins, not * for everything.
Reflect all required methods and headers that your MCP traffic needs.
Return consistent CORS headers on both preflight (OPTIONS) and actual responses.
Keep authentication separate from CORS. CORS does not replace real authentication.

Allowing origins

The most important header is:

Access-Control-Allow-Origin: https://your-app.example.com

Avoid using Access-Control-Allow-Origin: * for authenticated endpoints, especially with credentials.

Allowed methods

Include at least:

Access-Control-Allow-Methods: POST, OPTIONS

Allowed headers

Typical MCP headers to allow:

Content-Type
Authorization
sessionid
x-gw-ims-org-id, x-api-key

Example:

Access-Control-Allow-Headers: Content-Type, Authorization, sessionid, x-gw-ims-org-id, x-api-key

Credentials (cookies and auth headers)

If credentials are required:

Set Access-Control-Allow-Credentials: true.
Use a specific origin instead of *.

Common scenarios and example configurations

Single web app talking to an MCP server

Access-Control-Allow-Origin: https://app.example.com

Access-Control-Allow-Methods: POST, OPTIONS

Access-Control-Allow-Headers: Content-Type, Authorization, x-api-key

Access-Control-Max-Age: 600

Multiple trusted origins

allowedOrigins = [

  "https://ops.example.com",

  "https://analytics.example.com"

];

origin = request.headers["Origin"];

if (allowedOrigins.includes(origin)) {

    response.headers["Access-Control-Allow-Origin"] = origin;

    response.headers["Vary"] = "Origin";

}

Development environment (less strict)

Access-Control-Allow-Origin: http://localhost:3000

Access-Control-Allow-Methods: GET, POST, OPTIONS

Access-Control-Allow-Headers: Content-Type, Authorization, sessionid, x-api-key

Access-Control-Allow-Credentials: true

Troubleshooting CORS issues

No Access-Control-Allow-Origin header

Ensure the server includes the correct Access-Control-Allow-Origin header on both OPTIONS and POST responses.

Response to preflight request does not pass access control check

Ensure OPTIONS returns a 2xx status and includes required methods and headers.

Credentials and wildcard origin

Do not combine Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true.

Was this page helpful?

We're glad. Tell us how this page helped.

Found the answer to my problem Understood the instructions Liked the feature

Other suggestions

We're sorry. Can you tell us what didn't work for you?

Didn't find the answer to my problem Couldn't understand the instructions Didn't like the feature

Other suggestions

Thank you for your feedback. Your response will help improve this page.

Was this helpful?

We are sorry the content didn't meet your needs.

Share additional feedback to help us improve.

0/255 | Character limit exceeded.

Thank you so much for sharing your feedback!