Blog

CORS preflight and HTTP redirects: avoiding broken OPTIONS chains

Browsers may follow redirects on preflight, but mixed schemes or auth hops can invalidate CORS responses.

Published: 2025-09-10Updated: 2025-09-141 min read

corspreflighthttp

Why redirects hurt preflight

Each hop must preserve or re-apply CORS headers consistently; a 302 to HTTP can break secure contexts.

Some CDNs redirect OPTIONS differently than GET—mirror behavior in tests.

Use canonical URLs in client libraries and avoid trailing-slash redirects on API roots.

Emit HSTS at the edge to reduce accidental protocol downgrades during redirect.