is a mechanism that uses additional HTTP headers to inform the browser whether a specific web application can share resources with another web application.

So, what happens when application A requests something from application B? The Cross-Origin Preflight Mechanism is followed, where a preflight OPTIONS call is made before the actual API call.

Then, server B takes on the rspnsibility of verifying whether the call is valid. If it's valid, B sends back some HTTP headers, signaling that it's safe to proceed, and the actual POST call is made. The Access-Control-Allow-Origin header is a crucial addition to this process.

Now, one question remains: Does every request made from A to B follow this CORS preflight? The answer is no. There are two types of access control mechanisms: simple requests and preflight requests. Some requests from the browser are automatically tagged as simple requests