Architectureeasy

CORS: what is it and what does it NOT protect you from?

Answer

CORS is a browser rule that controls which origins can read responses from your API via JavaScript. It’s not authentication and it doesn’t stop someone from calling your API from a server or tools like curl. You still need proper auth/authz and input validation on the server.

Advanced answer

Deep dive

Expanding on the short answer — what usually matters in practice:

Context (tags): architecture, web, cors, security
Scaling: what scales horizontally vs vertically, where bottlenecks appear.
Reliability: retries/circuit breakers/idempotency, observability (logs/metrics/traces).
Evolution: keep changes cheap (boundaries, contracts, tests).
Explain the "why", not just the "what" (intuition + consequences).
Trade-offs: what you gain/lose (time, memory, complexity, risk).
Edge cases: empty inputs, large inputs, invalid inputs, concurrency.

Examples

A tiny example (an explanation template):

// Example: discuss trade-offs for "cors:-what-is-it-and-what-does-it-not-protect-yo"
function explain() {
  // Start from the core idea:
  // CORS is a browser rule that controls which origins can read responses from your API via Ja
}

Common pitfalls

Too generic: no concrete trade-offs or examples.
Mixing average-case and worst-case (e.g., complexity).
Ignoring constraints: memory, concurrency, network/disk costs.

Interview follow-ups

When would you choose an alternative and why?
What production issues show up and how do you diagnose them?
How would you test edge cases?