Blog

Cloudflare Pages Functions: CORS middleware on `_middleware`, static asset routing, and Workers KV limits

Functions run on the same zone as static files—centralize CORS in middleware to avoid duplicating headers per route file.

Published: 2028-03-26Updated: 2028-03-281 min read

cloudflarepagescors

Redirects

Bulk redirects in `_redirects` can bypass Functions—ensure CORS on API paths still hits middleware.

A/B testing at the edge may split traffic—log Origin with experiment IDs.

When Functions forward to Durable Objects, CORS headers must be set on the HTTP response returned to the browser.

WebSocket DOs need separate origin validation from REST CORS.