GraphQL in the browser: CORS, cookies, and single endpoints

Most GraphQL clients send POST with application/json and custom headers such as Apollo-Client-Name, which requires a successful OPTIONS handshake.

Ensure your gateway returns consistent CORS headers for both OPTIONS and POST responses.

Using credentials: include demands Access-Control-Allow-Credentials: true and a specific Allow-Origin, not a wildcard.

Pair cookie policies with CSRF defenses for mutations—CORS alone is insufficient.