Why Most APIs Don't Enable CORS?

Reynaldi
Reynaldi •

On This Page

You might be wondering why some APIs don’t enable CORS, and what exactly they’re trying to protect. After all, what’s the problem in calling it from a browser?

In this article, we’ll explore the reasons why APIs don’t enable CORS, debunk some common misconceptions, and look at how you can ethically work with these APIs when you need client-side access.

Why Most APIs Don’t Enable CORS

Server-to-Server Communication by Design

Many APIs are specifically designed for server-to-server communication. Usage in the browser wasn’t part of the original plan, and the API makers want to maintain. By not enabling CORS, they can assert control over how their API is consumed, ensuring it’s only called from server-side.

Preventing API Token Leakage

When an API requires authentication tokens, having those tokens on the client side creates a security risk. Developers might mistakenly include tokens directly in frontend code, where they become visible to anyone who views the source or inspects network requests. By disabling CORS, API providers push developers to use server-side implementations.

Rate Limiting and Access Control

Having an API only accessible without CORS means that typically only servers can call it, compared to allowing it to be called freely on any website. This makes rate limiting much more manageable for several reasons:

  • Easier to identify clients: Server-side requests are easier to track and attribute to specific users or organizations
  • Reduced volume: Without client-side access, there’s inherently less request volume since each user isn’t making direct API calls
  • Better enforcement: Rate limits can be more effectively enforced when requests come from a controlled number of server origins

What It’s NOT Protecting

CORS Is Not A Protection For Session Hijacking

While some sources claim that disabling CORS protects against credential theft or session hijacking, this is misleading at best. CORS is not a security mechanism, it’s an access control mechanism, as the name itself suggests: Access-Control-Allow-Origin.

If you want to protect against credential theft and CSRF attacks, you need to use different mechanisms entirely, such as:

  • Cookie attributes like HttpOnly, Secure, and SameSite=Lax or SameSite=Strict
  • CSRF tokens
  • Proper authentication headers instead of cookie-based auth for APIs

These mechanisms prevent credentials from being included in unauthorized cross-origin requests. CORS simply controls whether a browser allows your JavaScript to read a response.

Where Does a CORS Proxy Fit Here?

A CORS proxy like Corsfix allows you to call and fetch APIs directly from the client side while still being respectful of the API provider’s intentions. Here’s how:

For Server-to-Server Communication Requirements

Corsfix provides an easy method for developers to call these APIs while still conforming to the requirement of server-side execution, your requests go through a server (the proxy) rather than directly from the browser.

// GET request
fetch("https://proxy.corsfix.com/?https://api.example.com/users")
  .then((response) => response.json())
  .then((data) => console.log(data));

For Preventing API Token Exposure

Corsfix has first-class support for secrets, allowing you to securely store tokens and use them in your requests without exposing them in client-side code:

// Instead of exposing your token in the frontend:
// ❌ Don't do this
fetch("https://api.example.com/data", {
  headers: { Authorization: "Bearer sk-123..." },
});


// ✅ Use Corsfix with secrets variable
fetch("https://proxy.corsfix.com/?<url>", {
  headers: { Authorization: "Bearer {{SECRET_TOKEN}}" },
});

This ensures you never expose secrets while still having access to a wide range of APIs from your frontend application.

For Rate Limiting Concerns

The target API can still limit throughput for requests coming through the proxy, which is important for maintaining their service quality. Additionally, Corsfix provides caching features that:

  • Reduce load on the target server by serving cached responses when appropriate
  • Provide better performance to end users since cached requests return instantly
  • Help you stay within rate limits by reducing redundant API calls
fetch("https://proxy.corsfix.com/?<url>", {
  headers: {
    "x-corsfix-cache": "true",
  },
});

Conclusion

APIs don’t enable CORS for reasons such as: to enforce server-to-server communication patterns, prevent API token leakage, and maintain rate limiting.

It’s important to understand that CORS isn’t a security protection mechanism, it’s an access control mechanism, as clearly indicated by its name.

When you need to call these APIs from client-side code, you can use a CORS proxy like Corsfix.

It's time to build great websites without CORS errors

Try our CORS proxy for free, all features included.

Fix CORS errorsNo credit card required.