Blog

Directus headless CMS: CORS for REST and GraphQL, static assets, and presigned file delivery

Directus can serve files directly or through storage adapters; each path needs consistent CORS when SPAs fetch thumbnails.

Published: 2027-02-24Updated: 2027-02-261 min read

directuscmscors

Flows and hooks

Custom flows hitting external APIs should validate outbound URLs to prevent SSRF from trusted server contexts.

Hook failures should return structured errors distinguishable from CORS blocks in the browser.

Bundled extensions may register routes on different prefixes—scan OpenAPI output after upgrades.

Keep Directus and Node versions aligned with extension peer dependencies.