What is CORS and how does it work?

CORS (Cross-Origin Resource Sharing) allows servers to specify which origins can access their resources, relaxing same-origin policy. Browser sends Origin header; server responds with Access-Control-Allow-Origin. Simple requests (GET, POST with basic content-types) go directly. Preflighted requests (PUT, DELETE, custom headers) send OPTIONS first. Headers: Allow-Credentials (cookies), Allow-Methods, Allow-Headers, Max-Age (cache preflight). Server must explicitly allow cross-origin access.