Blog

Firebase App Hosting and Cloud Functions: wiring CORS for SSR and API routes

Framework-aware hosting runs server code at the edge; ensure CORS headers on both static and dynamic responses.

Published: 2026-05-20Updated: 2026-05-221 min read

firebasegoogle-cloudcors

Callable functions

Callable wrappers differ from raw HTTP functions—CORS is handled automatically but verify custom domains.

App Check reduces abuse but does not replace origin allowlists for public APIs.

Security rules are orthogonal to CORS; a client can pass CORS but still fail auth in rules.

Log rule evaluation failures separately from gateway CORS denials.