Definition
CORS (Cross-Origin Resource Sharing) is a Setup page where administrators add trusted origin URLs that are allowed to make JavaScript requests to Salesforce APIs from web pages hosted on external domains. Without a CORS allowlist entry, browsers block cross-origin requests to Salesforce for security reasons.
Real-World Example
A developer at CloudNova builds a custom React application hosted on app.cloudnova.com that needs to call Salesforce REST APIs directly from the browser. She adds "https://app.cloudnova.com" to the CORS allowlist in Setup, which tells Salesforce to include the appropriate Access-Control-Allow-Origin headers in API responses to that domain.
Why CORS Matters
CORS (Cross-Origin Resource Sharing) is a browser security mechanism, and in Salesforce, the CORS Setup page is where administrators whitelist external domains that are permitted to make JavaScript API calls to the Salesforce org. When a web application hosted on a different domain attempts to call Salesforce REST or SOAP APIs directly from the browser, the browser first sends a preflight OPTIONS request to check if the origin is allowed. Without the domain listed in the CORS allowlist, Salesforce does not include the Access-Control-Allow-Origin header, and the browser blocks the request entirely. This is a fundamental security feature that prevents unauthorized websites from accessing your org's data.
As organizations build more custom web applications, single-page apps, and microservices that interact with Salesforce data, CORS configuration becomes a frequent point of friction and troubleshooting. Developers who encounter cryptic 'No Access-Control-Allow-Origin header' errors in the browser console often waste hours before realizing the fix is a simple Setup change. However, over-permissive CORS configurations create security risks — adding too many origins or using wildcards exposes your APIs to potential cross-site request forgery attacks. Organizations scaling their Salesforce integrations need a documented policy for which domains get CORS access, regular audits of the allowlist, and a process for removing entries when applications are decommissioned.
How Organizations Use CORS
- CloudNova — CloudNova hosts a React application at app.cloudnova.com that lets customers view and update their support cases by calling Salesforce REST APIs directly from the browser. The developer added 'https://app.cloudnova.com' to the CORS allowlist in Setup, enabling the frontend to authenticate via OAuth and make API calls. Without this entry, every API call was blocked by the browser with a CORS error, even though authentication was valid.
- Apex Digital Agency — Apex Digital Agency built a marketing dashboard at dashboard.apexdigital.io that pulls campaign performance data from Salesforce using the Analytics API. During development, the team initially added their localhost URL to CORS for testing, then replaced it with the production domain before go-live. They maintain a quarterly review process to audit CORS entries and remove any stale development or staging domains.
- Trident Healthcare — Trident Healthcare developed a patient-facing web portal hosted on myhealth.tridentcare.org that queries Salesforce Health Cloud APIs for appointment availability. Their security team required that only the production portal domain be added to CORS, and they implemented a change management process requiring security review before any new CORS entries are added. This prevented two unauthorized domain additions that were attempted during a phishing incident.