Cors API

Blog

EventSource (SSE): CORS, credentials, and reconnection headers

With credentials, EventSource requires a specific Allow-Origin, not *, and cookies follow SameSite rules.

1 min read
sseeventsourcecors

Headers unique to SSE

Some servers set Cache-Control: no-cache on streams; ensure CDN rules do not strip required CORS headers on chunked responses.

Nginx buffering can delay events—disable proxy_buffering for SSE routes.

Alternatives

When you need bidirectional messaging, WebSockets may simplify auth but change Origin handling—compare carefully.

HTTP/2 server push deprecation affects some SSE deployments—monitor browser release notes.

Back to blog