.NET CORS – What It Really Is and Why It Annoys Developers at First
If you have ever connected a .NET API with Angular, React, or even a simple PHP frontend, chances are you didn’t learn CORS first. You met it as an error.
Most developers do.
You run the frontend, call the API, everything looks fine in Postman… and then the browser throws a big red message saying the request is blocked.
That’s CORS.
So… what is CORS actually?
CORS means Cross-Origin Resource Sharing.
In very simple words: it’s a browser rule that decides which website is allowed to talk to your API.
If the frontend and backend are not coming from the same place (domain, port, or protocol), the browser pauses and asks:
“Should I allow this request or not?”
If your API doesn’t answer properly, the browser blocks it.
Why does CORS exist at all?
Because without it, the internet would be unsafe.
Imagine:
You log in to a websiteYour browser stores cookies or tokensAnother random site secretly calls the same APIWithout CORS, that request could go through.So browsers follow a rule called Same-Origin Policy: Same domain → allowed Same protocol → allowed Same port → allowed Anything different needs explicit permission. That permission is CORS.
A very common real-world case
Frontend: http://localhost:4200 (Angular) Backend: https://localhost:5001 (.NET API) Ports are different → browser blocks it. That’s when developers see: No ‘Access-Control-Allow-Origin’ header is present The API is working. The browser just refuses to accept the response.