What is the Access Control Allow Origin response header?

The Access Control Allow Origin response header indicates if the response can be shared by requesting code from the given origin.

The header can take three values based on the case:

1. Access-Control-Allow-Origin: * If a request is made without the credentials, a \* is added that tells the browser to allow a requesting code from any origin to access the resource.
2. Access-Control-Allow-Origin: <origin> This specifies a single origin. In the server’s case (supporting clients from multiple origins), it must return the origin for the client requesting.
3. Access-Control-Allow-Origin: null This value should not be used to serialize the origin of resources that use a non-hierarchical scheme. Sandboxed documents are defined as null.
   User agents may grant access to these documents and create a hostile document with null origin.

Note If the server sends a response with an Access-Control-Allow-Origin value, it is an explicit origin, and the response must include a vary header to indicate that the server response will differ based on the origin request header. Therefore, that server must be cautious.