Cross Origin Resource Sharing (CORS)

mechanism that allows a website from one URL to req data from another URL.

website (localhost:5000) migth try to fetch data from API(:3000)

browser implements same origin policy. Which allows website to req data freely from it's own URL, but blocks anything from external URLs unless certain conditions are met.

browser sends the Origin header in it's request.
API server should whitelist that origin domain and in it's response have the Access-Control-Allow-Origin header with value that matches the Origin header originally sent.

If the browser gets a response where those 2 headers don't match it blocks it.

Cookies 3rd party cookies

3rd party cookies are almost deprecated by Google in Chrome browser.