Blog

GraphQL federation and CORS at the edge: gateway responsibilities

A federated gateway aggregates subgraphs; browsers still see one origin and one CORS policy.

Published: 2025-08-15Updated: 2025-08-181 min read

graphqlfederationcors

Single entrypoint

Publish one public URL for browser clients; route to subgraphs server-side to avoid multiple browser preflights.

If you must expose multiple browser endpoints, align Allow-Origin lists and document partner onboarding.

Breaking changes in subgraphs can surface as 400s that still need CORS headers for fetch to read errors.

Automate composition checks in CI before deploy to prevent partial outages that look like CORS failures.