Blog
hapi.js route options: CORS configuration per route, handler prequisites, and failAction behavior
hapi centralizes CORS in route settings—mixing global and route overrides is powerful but easy to misread in code review.
1 min read
hapicorsnodejs
Plugins and glue
Register CORS-related plugins in a deterministic order in your manifest files.
Lifecycle hooks onPreHandler can still strip headers if you mutate the response object incorrectly.
TLS termination
When TLS ends at a load balancer, hapi sees HTTP internally—origin schemes in Allow-Origin must still use https for browsers.
HSTS and CORS are complementary; do not disable security headers while debugging CORS alone.