As asked
What is CORS and why does the browser enforce it? Walk me through how a preflight request works, and what Access-Control headers you need to set on an Express API so that a React app on a different origin can make authenticated POST requests.
Sample answer outline
CORS is enforced by the browser to prevent a malicious website from making authenticated requests to a different origin using the user's credentials. For cross-origin POST with credentials, the browser first sends an OPTIONS preflight request. The server must respond with Access-Control-Allow-Origin (the specific origin, not * when credentials are involved), Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Allow-Credentials: true. The candidate should know that * is not allowed when credentials are used, that the cors npm package configures this, and that CORS is a browser policy (server-to-server calls are not affected).
Expect these follow-ups
- Why does setting Access-Control-Allow-Origin: * not work with credentials, and what do you do instead for multiple allowed origins?