Blog

Caddy reverse_proxy: CORS directives, header_up transforms, and automatic HTTPS with SPA fallbacks

Caddyfile snippets help reuse CORS blocks across sites—validate that `header` directives do not duplicate Access-Control-* from upstream.

Published: 2027-07-08Updated: 2027-07-101 min read

caddyreverse-proxycors

On-demand TLS

Short-lived certificates rotate frequently—monitor OCSP stapling failures that coincide with CORS error spikes.

Internal-only services behind Caddy still need correct SANs if developers tunnel through VPN with split DNS.

When caching API responses at the edge, include Origin in the cache key or authenticated users may see cross-tenant leakage.

ETag validators should vary with Vary: Origin to prevent stale Allow-Origin mismatches.