Blog
Guides for safer browser APIs
Deep dives on CORS, proxies, OAuth, and production gateways—in every language we support.
Start with these guides
Foundational posts that connect to our docs and proxy setup.
Import maps: CORS for mapped module URLs, CDN pinning, and integrity attributes with cross-origin scripts
Subresource Integrity hashes do not replace CORS—both are required for safe cross-origin modules.
1 min read · Read article →
SharedArrayBuffer: COOP and COEP headers for cross-origin isolation, and CORS for embedded assets
Without isolation, `SharedArrayBuffer` is unavailable—do not confuse with generic CORS failures.
1 min read · Read article →
WebCodecs: VideoFrame and EncodedVideoChunk, CORS for media pipelines, and transferable buffers from workers
Hardware decode availability is unrelated to CORS—surface codec errors distinctly from network failures.
1 min read · Read article →
Web Audio API: decoding AudioBuffers from fetch, CORS requirements for ArrayBuffer responses, and worklets
AudioWorklet processors run in isolated contexts—verify CORS on any dynamic `fetch` inside the worklet.
1 min read · Read article →
HTML canvas and cross-origin images: taint, CORS-enabled ImageBitmap, and getImageData restrictions
Set `crossOrigin` on `Image` before `src` assignment to request credentialed or anonymous CORS as needed.
1 min read · Read article →
Janus WebRTC server: CORS on admin and REST APIs, long polling, and plugin-specific HTTP callbacks
Token-based mounts should validate `Origin` even when using short-lived tokens.
1 min read · Read article →
mediasoup WebRTC: CORS on signaling REST APIs, DTLS/SRTP ports, and worker process isolation
Never expose mediasoup Worker RPC to the public internet without authentication.
1 min read · Read article →
Colyseus game servers: CORS authority, room filtering, and matchmaking HTTP APIs alongside WebSocket gameplay
Rate limit join attempts per IP and per origin to mitigate abuse on public lobbies.
1 min read · Read article →
µWebSockets: permessage-deflate, CORS-like origin checks on upgrade, and maximum payload limits
Compression interacts with CPU limits—mis-tuned settings can look like flaky CORS from slow handshakes.
1 min read · Read article →
Socket.IO with Redis adapter: CORS across multiple Node servers, sticky sessions, and polling fallbacks
Long-polling retries can amplify preflight volume—tune `pingTimeout` and client reconnection backoff.
1 min read · Read article →
Squid proxy as HTTP accelerator: CORS with never_direct, cache peers, and SSL bump implications
Avoid caching `OPTIONS` unless you fully understand Vary and `Cache-Control` from upstream.
1 min read · Read article →
Varnish VCL: CORS headers in vcl_backend_response, saint mode, and caching OPTIONS responses safely
Use `Vary: Origin` as a cache key component when Allow-Origin varies per request.
1 min read · Read article →
Pound reverse proxy: SSL termination, CORS header forwarding, and backend pool selection for APIs
Document which headers Pound adds versus upstream—debugging mixed CORS requires packet captures.
1 min read · Read article →
HAProxy in HTTP mode: injecting CORS headers, HTTP health checks, and OPTIONS routing to dedicated backends
Dedicated backends for OPTIONS can reduce CPU on primary API servers—monitor queue depth.
1 min read · Read article →
NGINX Plus: dynamic CORS with key-value stores, maps, and synchronized state across cluster nodes
Combine `map` with real client IP from `real_ip` when behind CDNs—trust only verified headers.
1 min read · Read article →
Oracle Cloud API Gateway with Functions: CORS policies, deployment stages, and backend TLS verification
Validate certificates on function backends; mixed TLS errors surface as opaque failures in SPAs.
1 min read · Read article →
DigitalOcean App Platform: CORS for static sites, serverless functions, and ingress routing rules
Preview apps get ephemeral URLs—whitelist them or use environment-based origin checks.
1 min read · Read article →
Google Cloud Functions (2nd gen): CORS on Cloud Run, ingress settings, and IAM invoker for browsers
Public invoker with Firebase Auth tokens still needs `Access-Control-Allow-Origin` on token refresh endpoints.
1 min read · Read article →
Azure Functions: CORS in the portal, host.json overrides, and function keys versus Easy Auth
Easy Auth runs before your function—OPTIONS may need explicit handling when authentication is required.
1 min read · Read article →
AWS Lambda Function URLs: CORS configuration, HTTP API versus REST API, and auth with IAM or none
IAM auth on Function URLs is not browser-friendly—use Cognito or JWT at the edge for SPAs.
1 min read · Read article →
Cloudflare Pages Functions: CORS middleware on `_middleware`, static asset routing, and Workers KV limits
Preview deployments get unique `*.pages.dev` hosts—add them to Allow-Origin or use dynamic origin callbacks.
1 min read · Read article →
WinterJS and WebAssembly runtimes: fetch compatibility, CORS in edge environments, and Workers API parity
Validate `Request`/`Response` polyfills against real browser preflight sequences.
1 min read · Read article →
Node.js test runner: mocking fetch with undici, CORS headers in snapshot tests, and coverage of OPTIONS
Use `mockAgent` from undici to simulate preflight without hitting the network.
1 min read · Read article →
Bun runtime: native fetch performance, CORS headers in HTTP servers, and compatibility with Node middleware
Benchmarks can hide CORS overhead—measure end-to-end OPTIONS latency in staging, not just microbenchmarks.
1 min read · Read article →
Deno Deploy: edge functions, CORS headers per isolate, and permission flags for outbound fetch
Use `Deno.env` for allowlists; never hardcode secrets that could be extracted from public edge code.
1 min read · Read article →
gRPC-Web in Envoy: CORS filters, HTTP/1.1 bridges, and JSON transcoding for browser clients
Enable reflection only in development; production reflection widens attack surface beyond CORS concerns.
1 min read · Read article →
WebRTC signaling: CORS on REST endpoints, STUN/TURN credentials, and why ICE is not HTTP CORS
Rotate TURN credentials frequently; short-lived passwords reduce replay risk more than CORS tweaks.
1 min read · Read article →
WebTransport over HTTP/3: CORS, cross-origin datagrams, and bidirectional streams versus WebSocket
Feature-detect `WebTransport` and fall back gracefully; polyfills cannot recreate CORS semantics.
1 min read · Read article →
Server-Sent Events: CORS with EventSource, credentials mode, and custom fetch wrappers for POST-based SSE
Set `Access-Control-Allow-Headers: Last-Event-ID` when clients resume streams after reconnects.
1 min read · Read article →
WebSocket subprotocols: CORS-like origin checks on the upgrade handshake, Sec-WebSocket-Protocol, and cookies
Do not send secrets in query strings; use subprotocol negotiation or secure cookies after the connection opens.
1 min read · Read article →
keycloak-js adapter: public clients, CORS on the token endpoint, and realm versus client URL configuration
Use confidential clients for server-side flows; public clients are inherently limited in refresh token lifetime.
1 min read · Read article →
Clerk browser SDK: Frontend API CORS, session cookies, and cross-origin JWT templates for SPAs
Rotate signing keys with zero downtime; coordinate CORS header caches with key publication times.
1 min read · Read article →
Auth0 SPA SDK: allowed origins, callback and logout URLs, and CORS with the Auth0 Management API
Use organizations and multi-tenant apps carefully; each tenant may need distinct allowed origins.
1 min read · Read article →
oidc-client-js: silent renew via iframes, CORS on session management endpoints, and third-party cookie phase-out
Monitor `userinfo` and `session_state` calls separately from API traffic in dashboards.
1 min read · Read article →
OAuth2 authorization code with PKCE: CORS on token endpoints, SPA redirect URIs, and silent refresh pitfalls
Register exact redirect URIs including trailing slashes—browsers treat mismatches as cross-origin failures.
1 min read · Read article →
Brave Shields: CORS, fingerprinting protections, and how aggressive blocking can break API integrations
Provide a “compat mode” toggle in docs that lists known Shields settings for your API domain.
1 min read · Read article →
Microsoft Edge WebView2: CORS for hosted web content, host object callbacks, and enterprise policy overrides
Post host objects to the UI thread before invoking CORS-sensitive APIs from native code.
1 min read · Read article →
Firefox Total Cookie Protection: per-site cookie jars, CORS, and cross-site POST requests
Test in Firefox ESR when enterprise users deploy stricter policies than consumer channels.
1 min read · Read article →
Safari ITP: partitioned cookies, Storage Access API, and CORS credentialed requests that still fail
Prompt for `document.requestStorageAccess()` only after user gesture; avoid silent retries that spam preflights.
1 min read · Read article →
Chrome extension Manifest V3: host_permissions, CORS for cross-origin fetches, and service worker limitations
Offscreen documents can help isolate long-running fetches; still validate responses before injecting into pages.
1 min read · Read article →
Qwik City server endpoints: CORS, resumability, and lazy hydration that delays cross-origin fetches
Prefetch service worker strategies can request APIs early—treat those as normal credentialed browser requests.
1 min read · Read article →
SolidStart: HTTP handlers, CORS with Vinxi and Nitro adapters, and streaming SSR with Suspense boundaries
Align `createHandler` wrappers with the same origin list your SPA build emits in `import.meta.env`.
1 min read · Read article →
Astro server islands: CORS for deferred HTML fragments, hybrid rendering, and client-side fetch after hydration
Use `astro:env` to inject safe public values; avoid leaking secrets into island scripts.
1 min read · Read article →
NuxtHub and Cloudflare: edge CORS, D1 and KV bindings, and server routes that proxy to private origins
Use runtime config to inject API base URLs without exposing internal service tokens to the browser bundle.
1 min read · Read article →
Next.js App Router route handlers: CORS in Route Handlers, Edge versus Node runtime, and middleware layering
Share CORS helpers between Route Handlers and Server Actions only where both face browser-originated requests.
1 min read · Read article →
Remix resource routes: CORS headers on loaders and actions, webhooks, and same-origin JSON APIs
Use `headers` export helpers to centralize Allow-Origin logic across many route modules.
1 min read · Read article →
SvelteKit load functions: server-side fetch without CORS, hooks, and browser-only API calls after navigation
Use `event.fetch` in load functions to inherit cookies and tracing headers consistently.
1 min read · Read article →
Vue composables and useFetch: CORS in the browser, Nuxt server routes, and SSR without leaking cookies
Use `useRequestHeaders` carefully; forwarding Authorization to upstream APIs changes CORS surfaces.
1 min read · Read article →
TanStack Query: defaultQueryClient fetch options, CORS credentials, and mutation retries on 401
Global `queryFn` wrappers should not strip headers that your API lists in Access-Control-Allow-Headers.
1 min read · Read article →
Angular HttpClient: CORS, HTTP interceptors, and XSRF cookie-to-header flow with credentialed requests
Match `withCredentials()` usage in interceptors with backend Allow-Credentials and SameSite cookie policies.
1 min read · Read article →
Postman: CORS in the desktop vs web client, pre-request scripts, and collection variables for OAuth tokens
Use Postman’s built-in browser tab for flows that must mirror CORS exactly.
1 min read · Read article →
Swagger UI: OAuth2 redirects, CORS on token and authorize endpoints, and PKCE with browser-based flows
Host Swagger UI on the same origin as your API or explicitly allow the Swagger origin in staging.
1 min read · Read article →
Orval: REST client generation, CORS mutators for fetch and axios, and OpenAPI tags mapped to hooks
Override `baseUrl` per environment in `orval.config` to avoid accidental production calls during local dev.
1 min read · Read article →
OpenAPI Generator: TypeScript axios clients, CORS preflight with custom headers, and request interceptors
Regenerate clients when OpenAPI `securitySchemes` change so Allow-Headers matches reality.
1 min read · Read article →
GraphQL Code Generator: TypeScript fetch clients, CORS credentials mode, and custom fetcher plugins
Pin `schema` URLs to CI artifacts so codegen output matches CORS headers in staging.
1 min read · Read article →
Vitest browser mode: CORS with native fetch, MSW in Playwright, and polyfills that alter preflight behavior
Align `test.browser` providers with the same origin as your Vite dev server when possible.
1 min read · Read article →
MSW Mock Service Worker: CORS headers in handlers, Jest and Vitest integration, and Node versus browser
Use `server.listen()` lifecycle hooks to reset CORS state between tests.
1 min read · Read article →
Selenium Grid: CORS across cross-origin iframes, third-party widgets, and remote WebDriver sessions
Align Grid node timezones with your API’s date-sensitive CORS rules if any exist.
1 min read · Read article →
Cypress chromeWebSecurity: disabling CORS checks for tests, and why you should still mirror production origins
Use cy.intercept to stub APIs while keeping same-origin policy enabled for critical smoke suites.
1 min read · Read article →
Playwright E2E tests: CORS behavior in Chromium, Firefox, and WebKit; service workers and bypass patterns
Route network calls to mock APIs only when you intentionally isolate CORS from backend availability.
1 min read · Read article →
Istio VirtualService and Gateway: CORS policy attachment, ServiceEntry for external APIs, and sidecar egress
Use telemetry v2 filters to measure OPTIONS volume separately from successful API calls.
1 min read · Read article →
Linkerd service mesh: edge ingress CORS is optional, mTLS between pods, and browser traffic patterns
Annotate ingress resources explicitly; default Linkerd behavior does not inject CORS headers into HTTP responses.
1 min read · Read article →
Envoy proxy: CORS HTTP filter, route-level policies, and WASM extensions for dynamic Allow-Origin lists
Use SDS or xDS to push updated origin lists without draining connections during incidents.
1 min read · Read article →
Caddy reverse_proxy: CORS directives, header_up transforms, and automatic HTTPS with SPA fallbacks
Use `handle_path` to strip API prefixes consistently before forwarding Origin to backends.
1 min read · Read article →
Traefik Ingress: CORS headers via middleware, Kubernetes labels, and TCP versus HTTP routers
Use IngressRoute CRDs to version middleware chains per team without editing global static configs.
1 min read · Read article →
hapi.js route options: CORS configuration per route, handler prequisites, and failAction behavior
Document which routes allow credentials and which are public read-only to avoid accidental cookie leakage.
1 min read · Read article →
koa-cors and @koa/cors: async middleware stacks, delegated methods, and origin checks with downstream routers
Compose smaller apps for `/public` and `/api` if you need different CORS policies without conditional spaghetti.
1 min read · Read article →
express and cors package: middleware ordering, OPTIONS-first behavior, and production pitfalls behind reverse proxies
Trust proxy settings affect X-Forwarded-Host—keep dynamic origin callbacks consistent with what browsers send.
1 min read · Read article →
@fastify/cors plugin: preflight hooks, dynamic origin functions, and route-level OPTIONS overrides
Use onRequest hooks to short-circuit malicious origins before your business logic runs.
1 min read · Read article →
NestJS with Helmet: CORS middleware order, security headers, and OPTIONS handling before auth guards
Use MiddlewareConsumer or global prefix strategies consistently so every module inherits the same Allow-Methods list.
1 min read · Read article →
Rollup watch mode: library bundles, CORS on demo HTML pages, and UMD versus IIFE globals
Serve demo pages from the same domain as your docs site to reuse one Content-Security-Policy for scripts and XHR.
1 min read · Read article →
Parcel bundler: CORS defaults, HMR over WebSocket, and Web Workers with blob: module scripts
Use .parcelrc or custom hosts to restrict origins when your API credentials are in localStorage.
1 min read · Read article →
esbuild serve mode: static assets, CORS headers on the built-in server, and API proxy glue code
Prefer composing esbuild with a reverse proxy in front when you need consistent security headers across teams.
1 min read · Read article →
Vite dev server: CORS, server.proxy configuration, and SSR fetch to internal APIs during development
Use import.meta.env to switch API base URLs between dev proxy paths and production absolute URLs.
1 min read · Read article →
webpack-dev-server: CORS, devServer.proxy, and keeping HMR WebSocket origins aligned with your API
Set devServer.headers for Access-Control-* only when you must hit the API directly—prefer proxy to avoid split-brain CORS rules.
1 min read · Read article →
Twilio Verify API: CORS for browser clients, SMS OTP delivery, and why secrets stay on the server
Use Verify’s fraud guard signals server-side—do not expose risk scores directly to untrusted clients.
1 min read · Read article →
Stripe.js and CORS: Payment Element, cross-origin iframes, and 3DS flows that depend on postMessage, not your API
Use Stripe’s recommended CSP and frame-ancestors directives alongside CORS for your own assets.
1 min read · Read article →
LaunchDarkly feature flags: JavaScript SDK bootstrap, streaming endpoints, and CORS for client-side evaluation
Bootstrap flag payloads from your SSR layer to reduce client secret exposure and redundant network chatter.
1 min read · Read article →
Datadog RUM and CORS: correlating browser sessions with backend traces via allowed trace headers
Use RUM beforeSend hooks to redact query strings that might contain tokens.
1 min read · Read article →
Sentry release health and CORS: error reporting from single-page apps without blocked ingest
Use the tunnel option when ad blockers or corporate proxies strip error POST bodies.
1 min read · Read article →
Google Cloud Run: CORS at the ingress, nginx sidecars, and health checks that must not strip Vary
Use min instances during launches to avoid cold-start preflight timeouts under burst traffic.
1 min read · Read article →
Azure API Management: CORS policy in inbound and outbound sections, XML pitfalls, and developer portal testing
Use revision-based deployments to test CORS changes without affecting production consumers.
1 min read · Read article →
AWS API Gateway CORS with Lambda proxy integration: preflight mapping templates and error payloads
Use MOCK integrations for OPTIONS when Lambda cold starts would violate SLA for preflight latency.
1 min read · Read article →
Cloudflare Workers KV: CORS, cache keys that include Origin, and avoiding cross-tenant data leaks
Set cache TTL shorter than KV eventual consistency windows for auth-sensitive reads.
1 min read · Read article →
Vercel Edge Middleware: CORS headers, rewrites, and locale routing without breaking preflight
Short-circuit OPTIONS in middleware only when you mirror all required response headers from the API layer.
1 min read · Read article →
Directus headless CMS: CORS for REST and GraphQL, static assets, and presigned file delivery
Use environment-specific CORS env vars in Docker Compose stacks for preview sites.
1 min read · Read article →
Strapi CMS: CORS plugin settings, media uploads, and same-origin policies for the admin panel
Size upload limits in middleware to match reverse proxy body size and avoid opaque 413 errors.
1 min read · Read article →
Hasura GraphQL: CORS configuration, admin secret misuse, and JWT role claims for browsers
Use remote schemas only from trusted backends to avoid SSRF through GraphQL layers.
1 min read · Read article →
Firebase App Check with CORS: reCAPTCHA, device attestation, and protecting callable HTTPS endpoints
Enforce App Check in emulator suites before tightening production rules.
1 min read · Read article →
Supabase Edge Functions: CORS, anon keys, and JWT exchange patterns for browser clients
Return short-lived JWTs from a function after validating the anon key server-side.
1 min read · Read article →
PlanetScale branching: preview databases, connection strings, and CORS when SPAs point at staging APIs
Use deploy requests to promote schema safely before switching production traffic.
1 min read · Read article →
MongoDB Atlas Data API: browser access, CORS rules in JSON, and least-privilege API keys
Rotate Data API keys on the same schedule as JWT signing keys for SPAs.
1 min read · Read article →
OpenSearch Dashboards behind nginx: CORS, reverse proxies, and securing analytics UIs
Terminate TLS at nginx and forward X-Forwarded-* consistently for OpenSearch security plugins.
1 min read · Read article →
Memcached for session caching: stateless APIs, CORS, and why key design matters for browsers
Consistent hashing reduces hot keys but changes migration strategy when clusters resize.
1 min read · Read article →
Redis and ioredis clusters: session stores, sticky sessions, and CORS with credentialed cookies
Use Redis TTL aligned with refresh token rotation to avoid ghost sessions after deploys.
1 min read · Read article →
Render.com Blueprint YAML: infrastructure as code for services that must share CORS policies
Use preview environments to test CORS before promoting to production blueprints.
1 min read · Read article →
Heroku dynos: sleep, cold starts, and why CORS preflight latency spikes on free tiers
Upgrade to paid dynos for critical APIs or add a lightweight health ping to prevent sleep.
1 min read · Read article →
Fly.io global edge: CORS, anycast networking, and pinning API regions for latency-sensitive SPAs
Use flyctl secrets for origin allowlists; avoid baking long lists into Docker images.
1 min read · Read article →
Railway and Render: environment variables, preview URLs, and CORS in production versus staging
Rotate preview deployment URLs in your API allowlist when platforms recycle subdomains.
1 min read · Read article →
DigitalOcean App Platform: CORS, custom domains, and TLS for full-stack deployments
Validate wildcard subdomains for preview apps do not accidentally mirror production Allow-Origin lists.
1 min read · Read article →
Google Search Console: crawl errors, blocked resources, and when CORS affects rendering reports
Use URL Inspection live test after fixing CORS on assets referenced by your templates.
1 min read · Read article →
Google rich results: structured data, same-origin JSON-LD, and CORS for client-rendered blogs
Validate with Rich Results Test after each template change; avoid injecting schema only via remote scripts blocked by CSP.
1 min read · Read article →
International SEO: hreflang clusters, XML sitemaps, and localized blog URLs with CORS-safe origins
Submit sitemap indexes in Search Console per domain property; verify reciprocal hreflang links.
1 min read · Read article →
Core Web Vitals and third-party scripts: CORS, fetch priority, and main-thread cost
Defer non-critical beacons after load; use fetchpriority hints on hero images separate from analytics calls.
1 min read · Read article →
WCAG and accessible CORS error pages: screen readers, focus order, and plain-language guidance
Provide keyboard-navigable help links to your docs and status page without trapping focus in modals.
1 min read · Read article →
Datadog RUM: configuring allowed origins, CORS for intake endpoints, and PII scrubbing
Align Content-Security-Policy connect-src with Datadog domains you enable for session replay.
1 min read · Read article →
Cloudflare Bot Fight Mode: JavaScript challenges, CORS, and API traffic from first-party SPAs
Ensure API responses still include CORS headers when a challenge page is served to suspicious clients.
1 min read · Read article →
AWS WAF managed rules: allowing CORS preflight OPTIONS without blocking legitimate traffic
Use count mode first, then block; tag requests with labels to tune exclusions for API partners.
1 min read · Read article →
Google Cloud Armor: security policies, header actions, and CORS-friendly allowlists
Coordinate with Cloud CDN cache keys when you vary responses by Origin.
1 min read · Read article →
Azure API Management: CORS policy in XML, inbound rules, and developer portal testing
Republish the developer portal after policy changes so examples show current Allow-Headers lists.
1 min read · Read article →
Remix loaders and CORS: single-flight mutations versus cross-origin resource loaders
Prefer moving sensitive fetches to loaders to keep secrets off the client entirely.
1 min read · Read article →
SvelteKit hooks: handle CORS for browser clients while server load functions bypass it
Forward Set-Cookie from upstream carefully when proxying to avoid leaking session material.
1 min read · Read article →
TanStack Query: CORS, credentials, and refetch policies for cross-origin dashboards
Separate query keys per tenant to avoid cache poisoning when Allow-Origin varies by customer.
1 min read · Read article →
Vue 3 and Axios: withCredentials, baseURL, and CORS configuration for SPAs
Pinia stores should not persist tokens in localStorage if you rely on cookie sessions with CORS.
1 min read · Read article →
Angular HttpClient: CORS, interceptors, and proxy.conf.json for local development
Keep interceptors for auth tokens separate from CORS—do not fake Allow-Origin in client code.
1 min read · Read article →
Insomnia and other REST clients: Electron shells and why they differ from Chrome CORS
Validate production behavior only with browser-based tests or real user sessions.
1 min read · Read article →
Postman collections versus browsers: why green API tests still fail under real CORS rules
Add a lightweight browser smoke test alongside collection runs before every release.
1 min read · Read article →
mitmproxy and TLS decryption: debugging CORS headers on localhost API servers
Never ship mitm certificates to production devices—use dedicated dev machines only.
1 min read · Read article →
Puppeteer and headless Chrome: automating CORS regression checks in CI pipelines
Avoid disabling web security in CI—it hides real CORS failures you need to catch.
1 min read · Read article →
Playwright: extra HTTP headers, CORS, and reliable integration tests for browser APIs
Run tests against staging with the same CDN configuration as production to catch header drift.
1 min read · Read article →
Safari Intelligent Tracking Prevention: third-party contexts, CORS, and cookie lifetimes
Prefer first-party API subdomains for Safari-heavy audiences; test on real devices, not only desktop Chrome.
1 min read · Read article →
HTTP/2 and HTTP/3 multiplexing: how many parallel CORS-backed fetches share one connection
Server push is largely gone—design APIs assuming streams and prioritization hints instead.
1 min read · Read article →
Accept-Encoding, Brotli, gzip, and how CORS preflight caching interacts with Vary
Align CDN cache rules so preflight objects do not inherit aggressive TTL from API GET responses.
1 min read · Read article →
Private Network Access: when public sites probe localhost and CORS meets mixed security reviews
Treat local development exposure as a product risk—document why LAN endpoints are reachable from the public web.
1 min read · Read article →
Open Graph images, meta tags, CORS, and how social crawlers fetch your previews
Serve og:image with correct Cache-Control; use absolute HTTPS URLs in tags to avoid redirect chains that break previews.
1 min read · Read article →
User-facing CORS errors: accessible copy, support tickets, and what not to expose
Link to your status page and docs; include correlation IDs only if they are safe for end users.
1 min read · Read article →
Cross-Origin-Resource-Policy and COEP: orthogonal controls that interact with CORS visibility
Cross-Origin-Opener-Policy pairs with COEP for crossOriginIsolated—plan header rollouts with your CDN team.
1 min read · Read article →
dns-prefetch and preconnect: faster connections to API origins that still require CORS
Use crossorigin attribute when preconnecting to APIs that use credentialed requests or CORS-relevant certificates.
1 min read · Read article →
Brotli, Vary: Accept-Encoding, and CORS: cache key explosion at the edge
Separate static asset compression from JSON API compression policies to simplify debugging.
1 min read · Read article →
Multipart uploads to S3 from the browser: CORS, ETag in Expose-Headers, and completing parts
Use single-region uploads for simpler signatures; cross-region adds latency and signing complexity.
1 min read · Read article →
Netlify Edge Functions: injecting CORS on rewrite paths and split testing
Netlify Blobs and background functions are separate—do not assume one CORS policy covers all Netlify features.
1 min read · Read article →
Firebase App Hosting and Cloud Functions: wiring CORS for SSR and API routes
Emulator suites differ from production TLS and header ordering—run smoke tests against deployed URLs.
1 min read · Read article →
AWS Amplify Hosting: SPA rewrites, custom headers, and API proxy CORS alignment
CloudFront caches at the edge—invalidate after CORS policy changes to avoid stale header combinations.
1 min read · Read article →
Linkerd and CORS: where to terminate browser traffic versus mesh mTLS
If you inject headers in Linkerd routes, ensure they merge cleanly with application-level CORS headers.
1 min read · Read article →
Kubernetes Ingress-NGINX: CORS annotations, snippets, and controller upgrades
Enable snippet annotations only when trusted admins control the cluster—arbitrary config is risky.
1 min read · Read article →
Fastify @fastify/cors: register order, hooks, and encapsulation with plugins
Use preflight: true and explicit methods arrays to avoid accidental broad allowances.
1 min read · Read article →
Express cors middleware: dynamic origin callbacks and async allowlists
Never reflect arbitrary Origin headers—validate against a stored set or suffix rules.
1 min read · Read article →
django-cors-headers: CORS_ALLOWED_ORIGINS versus regex and deployment checklist
Middleware order matters—corsheaders should sit after CommonMiddleware per Django docs.
1 min read · Read article →
Spring Boot WebMvc: CorsRegistry, order of filters, and security matchers
Use @CrossOrigin sparingly on controllers; prefer centralized registry for consistent preflight behavior.
1 min read · Read article →
Apache httpd: mod_headers patterns for conditional CORS on Directory and Location blocks
OPTIONS handling may need explicit RewriteRule to a handler—verify headers on OPTIONS responses separately.
1 min read · Read article →
API versioning and sunset headers: exposing deprecation signals through CORS-safe responses
Expose only non-sensitive header names to browsers—link relation deprecations can include URLs to docs.
1 min read · Read article →
Edge runtimes compared: setting CORS on Workers, Lambda@Edge, and Supabase functions
Centralize allowlists in KV or environment bindings rather than hardcoding in every function revision.
1 min read · Read article →
Webhook endpoints and browser CORS: why Stripe-style callbacks are server-to-server
Still return 2xx quickly and verify signatures—your public API remains subject to CORS separately.
1 min read · Read article →
GraphQL subscriptions over WebSocket: CORS on HTTP does not cover the socket upgrade
Keep subscription auth tokens out of query strings—use Sec-WebSocket-Protocol or first payload messages.
1 min read · Read article →
W3C traceparent and CORS: should browsers expose distributed trace IDs?
Prefer server-side correlation IDs returned in a controlled custom header with minimal PII.
1 min read · Read article →
EventSource (SSE): CORS, credentials, and reconnection headers
Last-Event-ID replays must not bypass authorization—validate session on each reconnect.
1 min read · Read article →
Mutual TLS in browsers: client certificates interact with CORS but are not a substitute
Safari and Chrome prompts differ—automate tests across engines for enterprise mTLS rollouts.
1 min read · Read article →
Content-Security-Policy connect-src versus CORS: two layers that must agree
Report CSP to a collector endpoint that is itself allowlisted—avoid recursive noise.
1 min read · Read article →
Istio VirtualService: centralizing CORS policies across revisions and namespaces
Use destination rule subsets to roll out stricter Allow-Headers only to canary workloads.
1 min read · Read article →
OpenResty and Lua: dynamic Access-Control-* rules without reloading nginx
Cache negative lookups briefly to protect Redis; cap header value length to avoid abuse.
1 min read · Read article →
Distributed tracing across CORS boundaries: what to propagate and what to redact
Log correlation IDs on the API gateway for preflight and actual requests to stitch timelines.
1 min read · Read article →
HTTP caching and Vary: Origin when APIs tailor Access-Control-Allow-Origin per caller
CDNs that ignore Vary can poison caches—validate with multi-origin integration tests through the CDN.
1 min read · Read article →
AWS SigV4 from browsers: presigned URLs and CORS on S3 versus API Gateway
Never embed long-lived IAM keys in SPAs—exchange for short-lived credentials server-side.
1 min read · Read article →
Backend-for-frontend pattern: shrinking the public CORS surface
Still authenticate every BFF route—same-origin does not mean unauthenticated.
1 min read · Read article →
SameSite=Lax versus None: aligning cookie policy with credentialed CORS
Misconfigured cookies look like CORS failures—verify Set-Cookie attributes alongside Access-Control-Allow-Origin.
1 min read · Read article →
Mobile deep links and universal links: keep API CORS separate from app URL schemes
Document which flows use custom schemes versus https callbacks so security reviews cover both surfaces.
1 min read · Read article →
GraphQL federation gateways: one CORS surface for many subgraphs
Align persisted queries and CSRF defenses with your CORS policy—introspection should be off in production.
1 min read · Read article →
CloudFront Functions and Lambda@Edge: injecting CORS without warming every PoP
Avoid duplicating CORS logic in S3 and CloudFront—pick one layer as source of truth for header names.
1 min read · Read article →
WebSocket handshakes: Origin header checks complement CORS for long-lived sessions
Reject mismatched origins before accepting the socket to prevent cross-site WebSocket hijacking.
1 min read · Read article →
gRPC-Web through Envoy: CORS filters and preflight for protobuf browsers
Match OPTIONS to a dedicated route that returns Access-Control-* without hitting expensive upstream work.
1 min read · Read article →
Shadow traffic and canaries: validating CORS headers on duplicated requests
Use synthetic origins in shadow tests to cover partner domains not active in current traffic.
1 min read · Read article →
Distributed rate limiting with Redis: consistent counters behind a CORS-aware gateway
Use Lua scripts for atomic increments; avoid race conditions that let bursts slip through during failover.
1 min read · Read article →
API key rotation without downtime: overlap windows and monitoring
Automate reminders in the developer portal and emit distinct error subcodes for expired keys.
1 min read · Read article →
JWT Bearer in memory versus HttpOnly cookies: CORS and XSS trade-offs
HttpOnly cookies need CSRF defenses; Bearer tokens need strict CSP—neither replaces server-side authorization.
1 min read · Read article →
OAuth2 PKCE, refresh tokens, and CORS at the token endpoint
Rotate refresh tokens and bind them to DPoP or mTLS when your threat model requires stronger proof than CORS alone.
1 min read · Read article →
HAProxy and CORS: http-response set-header patterns for APIs
Mirror header policy on backup nodes during failover drills so browsers do not see policy flaps.
1 min read · Read article →
Traefik as a reverse proxy: middleware chains for CORS and TLS
Use labels in Docker Compose or Kubernetes CRDs consistently across environments to avoid drift.
1 min read · Read article →
Capacitor, Cordova, and hybrid apps: bridging native and web CORS rules
Prefer native HTTP plugins for privileged calls; keep public API CORS strict for webviews.
1 min read · Read article →
Electron apps and localhost CORS: custom protocols and webSecurity
Use file:// or custom protocols carefully—treat API calls like a web app unless you use Node integrations.
1 min read · Read article →
Browser extensions and CORS: host permissions versus web page rules
Never ask users to install extensions to ‘fix’ CORS in production; fix server headers instead.
1 min read · Read article →
Testing CORS with Cypress: intercepting requests and validating headers
Pair Cypress with a local backend or staging to avoid flakiness from third-party rate limits.
1 min read · Read article →
Testing CORS with Playwright: real browser coverage for your API
Combine API tests with page-level navigation to catch regressions middleware-only tests miss.
1 min read · Read article →
Custom headers in API design: every new header can cost a preflight
Prefer simple header sets for browser clients; push heavy metadata to the body when possible.
1 min read · Read article →
CORS preflight and HTTP redirects: avoiding broken OPTIONS chains
Prefer stable HTTPS endpoints for APIs; fix redirect chains that strip headers at intermediate hops.
1 min read · Read article →
HTTP 204 No Content for CORS preflight: when empty bodies are correct
Verify your framework returns headers on 204; some adapters accidentally omit them on empty responses.
1 min read · Read article →
API versioning, deprecation headers, and keeping CORS policies in sync
Expose Deprecation and Sunset headers when standards allow, and mirror them through your CORS proxy layer.
1 min read · Read article →
WebSocket handshake versus HTTP CORS: what is validated where
Do not confuse fetch() CORS debugging with WebSocket connection failures—check upgrade response codes and subprotocols.
1 min read · Read article →
GraphQL federation and CORS at the edge: gateway responsibilities
Terminate TLS and CORS at the gateway consistently—subgraph internal calls skip browser CORS but need authZ.
1 min read · Read article →
SLOs and SLIs for APIs: availability, latency, and error budgets with CORS in scope
Split metrics by origin cohort to detect a broken partner integration without blaming the whole platform.
1 min read · Read article →
Canary deployments: validating CORS headers before full rollouts
Automate synthetic checks from representative origins in CI and after deploy hooks.
1 min read · Read article →
Circuit breakers for downstream APIs: fail fast without amplifying outages
Coordinate timeouts with CORS proxy settings so browsers do not hang longer than your UX allows.
1 min read · Read article →
Idempotency keys for POST: safe retries without duplicate side effects
Document key lifetime and storage costs—typically backed by Redis or your primary database with TTL.
1 min read · Read article →
Structured logging at API gateways: redaction, sampling, and correlation IDs
Propagate a request ID from edge to upstream and return it in exposed headers for support tickets.
1 min read · Read article →
Zero trust at the edge: identity, device posture, and API calls from browsers
Treat every API call as untrusted until verified—include service mesh or gateway authz for internal routes too.
1 min read · Read article →
Pricing public APIs: rate limits, fair use, and communicating quotas in headers
Publish SLOs for latency and availability alongside numeric limits so developers can engineer to your contract.
1 min read · Read article →
Wildcard subdomains and CORS: when reflection is safe versus dangerous
Prefer explicit origin lists or server-side session binding instead of naive regex reflection.
1 min read · Read article →
Duplicate Access-Control-* headers: why browsers reject ambiguous CORS responses
Search your stack for two layers adding CORS—Ingress plus app middleware is a frequent culprit.
1 min read · Read article →
HTTP/3 and QUIC: do CORS rules change on the wire?
Still validate TLS, SNI, and intermediate retries—HTTP/3 fallbacks can surface subtle timing bugs in preflight.
1 min read · Read article →
Server-Sent Events (SSE) and CORS: long-lived connections in the browser
Validate Cache-Control and proxy buffering so intermediaries do not break chunked SSE responses.
1 min read · Read article →
Multipart file uploads and CORS: when preflight doubles your round trips
Use signed URLs or same-origin upload endpoints when possible to simplify browser security requirements.
1 min read · Read article →
Service workers, fetch(), and CORS: interception limits you should know
Do not assume a worker can add Allow-Origin—only the network response or a same-origin proxy can.
1 min read · Read article →
Axios and CORS errors: interceptors, adapters, and when to fix the server
If you see Network Error in the browser, inspect preflight and response headers before changing Axios config.
1 min read · Read article →
fetch() credentials modes: cors, same-origin, and opaque responses
Choosing include tightens Allow-Origin rules—plan cookies and SameSite policies before shipping.
1 min read · Read article →
Kong Gateway: configuring the CORS plugin safely at scale
Prefer explicit origins over *; combine with rate limiting and auth plugins for defense in depth.
1 min read · Read article →
Kubernetes Ingress: CORS annotations and controller differences
Avoid duplicating CORS at both Ingress and application unless you intentionally terminate browser policy at the edge.
1 min read · Read article →
Express and Fastify CORS middleware: patterns for production APIs
Register CORS early in the stack, but after security parsers that need raw bodies—test OPTIONS paths explicitly.
1 min read · Read article →
CORS on AWS Lambda and API Gateway: integration vs Lambda proxy
Pick one layer to own CORS to avoid duplicate or conflicting Access-Control-* headers in responses.
1 min read · Read article →
CORS and Content-Security-Policy: complementary browser controls
A correct CORS policy does not replace CSP—combine them so compromised markup cannot phone home to arbitrary hosts.
1 min read · Read article →
Access-Control-Max-Age: caching preflight results to reduce latency
Tune Max-Age for stable APIs; shorten it when you rotate allowed methods or headers frequently.
1 min read · Read article →
Access-Control-Expose-Headers: which response headers JavaScript can read
If you need correlation IDs or rate-limit headers in the browser, your API must explicitly expose them—reflection alone is not enough.
1 min read · Read article →
CorsAPI workflow: projects, rules, keys, and the proxy URL
Create an organization, define CORS origins and host allowlists, mint a key, then call with url query param.
1 min read · Read article →
credentials: 'include' and CORS: no wildcards, tight rules
Credentialed fetches are the strictest mode—mirror a single explicit origin per response.
1 min read · Read article →
Mobile app WebViews: CORS, custom schemes, and native bridges
Do not assume WebView behaves exactly like the latest evergreen browser—versions lag on older OS tiers.
1 min read · Read article →
OpenAPI, Swagger UI, and testing CORS on documented endpoints
Try-it-out flows hit your real API; ensure dev and prod CORS policies match expectations.
1 min read · Read article →
Self-hosting API gateways and CORS proxies: operations checklist
Owning infrastructure means owning patching schedules—treat CORS config as code reviewed in PRs.
1 min read · Read article →
Preventing open proxy abuse: allowlists, quotas, and monitoring
Keys without host limits are a liability; combine network and application controls.
1 min read · Read article →
p50, p95, p99: why percentile latency matters for APIs
Track p95 alongside error rates when you change CORS proxies or upstream routes.
1 min read · Read article →
Security headers beyond CORS: hardening API responses
CORS governs cross-origin reads; other headers reduce XSS and MIME confusion risks.
1 min read · Read article →
CDN caching and CORS: Vary, surrogate keys, and pitfalls
Wildcard CORS on public JSON might be fine, but personalized Allow-Origin needs Vary: Origin.
1 min read · Read article →
Webhooks vs browser fetch: where CORS does not apply
If your integration is webhook-first, spend effort on HMAC verification, not Allow-Origin headers.
1 min read · Read article →
JSONP history and why modern browsers standardized on CORS
JSONP was a hack; CORS gives explicit server consent and works with modern verbs and headers.
1 min read · Read article →
Debugging CORS with Chrome DevTools Network and Issues tabs
The Issues tab surfaces CORS failures with direct links to blocked responses—start there.
1 min read · Read article →
Cloudflare Workers: CORS patterns at the edge
Workers run close to users—great for latency—but policy logic must stay explicit and tested.
1 min read · Read article →
Adding CORS headers in Nginx without breaking caching
Static assets rarely need CORS; APIs behind Nginx often do—scope rules narrowly.
1 min read · Read article →
Next.js Route Handlers: setting CORS headers correctly
Route handlers are the right place to echo Allow-Origin for your own API—mirror only trusted origins.
1 min read · Read article →
OAuth in single-page apps: redirects, CORS, and token storage
The browser follows redirects; APIs must return precise CORS headers for token and metadata calls.
1 min read · Read article →
GraphQL in the browser: CORS, cookies, and single endpoints
One URL does not mean one simple request—custom headers and JSON bodies usually trigger preflight.
1 min read · Read article →
REST API integration checklist for production frontends
Shipping fast is easy; operating for months requires contracts, observability, and failure modes.
1 min read · Read article →
Rate limiting strategies: per key, per IP, and burst handling
Fair limits protect upstreams and users. Communicate limits in headers and document retry behavior.
1 min read · Read article →
API keys and least privilege in browser-facing apps
Public clients cannot hide long-lived secrets. Design keys for revocation, quotas, and observability.
1 min read · Read article →
Using a CORS proxy for third-party APIs: risks and guardrails
A proxy is not a free pass—treat it as a security boundary with keys, quotas, and logging.
1 min read · Read article →
Fixing CORS errors: a checklist that actually works
Red console errors are clues. Verify the failing request type, response headers, and whether credentials are involved.
1 min read · Read article →
Same-origin policy vs CORS: how they work together
Same-origin is the default wall. CORS is the controlled door—learn when each applies.
1 min read · Read article →
CORS preflight: when the browser sends an OPTIONS request
Not every cross-origin request runs a preflight. Learn the rules browsers use before your fetch hits the network twice.
1 min read · Read article →
What is CORS? A practical guide for web developers
CORS is a browser security model—not a server bug. Here is how origins, headers, and preflight fit together.
1 min read · Read article →