Blog

Backend-for-frontend pattern: shrinking the public CORS surface

A dedicated BFF shares the site origin with the browser, so microservices behind it avoid browser CORS entirely.

Published: 2026-01-08Updated: 2026-01-101 min read

bffarchitecturecors

When it helps

Complex aggregations and SSR benefit from server-only calls to internal APIs without exposing them to the web.

You can stream responses while hiding internal retry and circuit-breaker logic.

BFF becomes a scaling hotspot—load test and cache idempotent reads.

Mobile apps may need a separate public API if they cannot share the web BFF deployment.