Blog

Envoy proxy: CORS HTTP filter, route-level policies, and WASM extensions for dynamic Allow-Origin lists

Envoy evaluates CORS in the HTTP connection manager—order filters before auth filters that might short-circuit OPTIONS.

Published: 2027-07-14Updated: 2027-07-161 min read

envoyproxycors

Sidecar versus edge

Mesh sidecars may see internal cluster names—never echo those as Allow-Origin values to browsers.

Edge Envoys terminate TLS and must align SNI with CORS policy documents.

CORS filter adds minimal latency but WASM plugins can regress—benchmark after each extension upgrade.

Large allowlists increase memory; shard by tenant at the control plane when possible.