Blog

GraphQL federation gateways: one CORS surface for many subgraphs

Expose a single router URL to browsers; let subgraphs stay private behind mTLS without duplicating CORS rules.

Published: 2025-12-20Updated: 2025-12-221 min read

graphqlfederationcors

Header propagation

Forward Authorization consistently; subgraphs should not echo browser Origin headers unless required.

Use `@inaccessible` and schema contracts to avoid leaking internal fields through the public gateway.

Run automated checks that preflight succeeds for every allowed SPA origin after subgraph rollouts.

Include batched operations in tests because they may change header shapes.