The full name is cross-origin resource sharing, which you can forget once you get the idea. A CORS error doesn’t mean you did something illegal or hacked anything. It usually means your browser blocked frontend code because the other server didn’t say your website was allowed to read that response.
Think about a private event with a guest list. Someone walks up with an invitation from another company, and the host checks whether that company is allowed in before letting them through. CORS is that guest-list check inside your browser, asking, “Is this website allowed to read this response from here?”
How it shows up
Your frontend sits at one address, the API at another. Your page tries to fetch data, the browser stops it, and you see an error about CORS policy. The same API may work fine from a terminal command and still fail from the browser, because CORS is mainly a browser rule. It’s not authentication, not an API key, not a general wall around the server. The server participates by sending headers that tell the browser which origins and methods are allowed. An origin is the protocol, domain, and port together. A method is the kind of request, like GET or POST, which connects to HTTP method.
Why you care
CORS is one of the first confusing errors people hit when building with AI-generated code. The AI writes frontend code that calls an API directly from the browser, it looks reasonable, then the browser blocks it. Don’t panic. Figure out where the request comes from, what the server allows, and whether the call belongs in the frontend or should go through your backend instead.