Blog

Distributed tracing across CORS boundaries: what to propagate and what to redact

traceparent belongs in server-to-server hops; browsers should not leak internal IDs through CORS-exposed headers.

Published: 2026-01-26Updated: 2026-01-281 min read

observabilitytracingcors

Header policy

Expose only stable, non-sensitive headers to JavaScript; keep internal routing tokens server-side.

Align Access-Control-Allow-Headers with the minimal set your SPA truly sends.

Chart preflight ratio separately from API latency—spikes often indicate misconfigured clients.

Alert when OPTIONS error rate exceeds SLO during deploy windows.