Blog

Google Cloud Armor: security policies, header actions, and CORS-friendly allowlists

Use Cloud Armor to rate-limit abusive origins while still returning CORS headers on blocked responses for observability.

Published: 2026-10-08Updated: 2026-10-101 min read

gcpsecuritycors

Load balancer integration

Attach policies to backend services behind global external HTTP(S) load balancers.

Preview rules in dry-run mode before enforcing drops on production traffic.

reCAPTCHA Enterprise can complement Armor for browser flows—still configure CORS on APIs separately.

Log matched rules with enough context to distinguish partner mistakes from attacks.