HTTP headers / response header
Access-Control-Allow-Origin: https://app.example.com
The core CORS response header: which Origin may read this response from browser JavaScript. * allows any origin (but not with credentials).
It allows READING the response — the request often still reaches the server. CORS is browser-side protection, not authentication.
The fastest way to see what Access-Control-Allow-Origin is actually doing is to send the request and read both sides raw — ReqPad shows auto-generated and custom headers for every request, on all six protocols, with history. Related references: status codes · WWW-Authenticate · Content-Encoding · Transfer-Encoding · ETag · Last-Modified · Expires
Build the request, send it, read raw headers and timing — from your iPhone. Free to start.