Blog

HAProxy and CORS: http-response set-header patterns for APIs

Use ACLs to match OPTIONS and inject CORS on both success and curated error backends.

Published: 2025-10-28Updated: 2025-10-301 min read

haproxyinfrastructurecors

ACL design

Separate frontends for browser traffic versus internal health checks to avoid accidental CORS on metrics ports.

Use maps files for large origin lists with reload-friendly updates.

Terminate TLS once; double encryption adds latency and complicates certificate rotation.

Keep OCSP stapling enabled to reduce handshake latency for global users.