Blog

Datadog RUM and CORS: correlating browser sessions with backend traces via allowed trace headers

Expose traceparent headers through CORS Allow-Headers on APIs you instrument; otherwise RUM cannot stitch distributed traces.

Published: 2027-04-06Updated: 2027-04-081 min read

datadogrumcors

Session replay

Mask sensitive DOM nodes in replay configs—CORS does not protect against leaking PII in recorded HTML.

Sampling strategies should differ between production and staging to control storage costs.

Synthetic tests may not reproduce browser CORS behavior—complement with real-user monitoring alerts.

Tag tests by environment to avoid false positives when APIs whitelist origins per stage.