I use express.js for my server, with this headers:
x-powered-by: Express
connection: keep-alive
content-length: 2
content-type: application/json; charset=utf-8
access-control-allow-methods: GET,PUT,POST,DELETE
access-control-allow-origin: *
access-control-allow-headers: x-requested-with
I call res.header to allow CORS:
res.header("Access-Control-Allow-Origin:", "*");
res.header("Access-Control-Allow-Methods", "GET,PUT,POST,DELETE");
res.header("Access-Control-Allow-Headers", "x-requested-with");
You can test here : http://my-api.rs.af.cm/api/products
For my front-end, I use jsbin and I call my server with $.ajax: http://jsbin.com/apizez/37/edit
Result here: http://jsbin.com/apizez/37
You can look at the JS console, you will see this error:
XMLHttpRequest cannot load http://my-api.rs.af.cm/api/products. Origin http://jsbin.com is not allowed by Access-Control-Allow-Origin.
I read all others answers on CORS and I don't want to use easyXDM.
Thanks to Ryan Olds to help me to understand how CORS requests work.
Here the correct headers:
res.header('Access-Control-Allow-Origin', req.headers.origin || "*");
res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,HEAD,DELETE,OPTIONS');
res.header('Access-Control-Allow-Headers', 'content-Type,x-requested-with');
All my requests had that headers in their response.
I use $.getJSON for GET requests with jQuery, otherwise It doesn't work.
You can see the example here: http://jsbin.com/uwevuc/2/edit