Blog

gRPC-Web in Envoy: CORS filters, HTTP/1.1 bridges, and JSON transcoding for browser clients

Envoy translates gRPC-Web to HTTP/2 upstream—CORS must be applied on the browser-facing listener, not only on internal clusters.

Published: 2028-02-22Updated: 2028-02-241 min read

grpc-webenvoycors

Protobuf

Large messages can hit body size limits—return 413 with CORS headers so clients see real errors.

Unknown fields and `google.api.http` annotations must stay in sync when APIs evolve.

mTLS between Envoy and services does not replace browser CORS for public SPAs.

JWT validation at the Envoy filter should align with `Authorization` headers listed in CORS.