Blog

HAProxy in HTTP mode: injecting CORS headers, HTTP health checks, and OPTIONS routing to dedicated backends

Use `http-response set-header` for CORS—order rules so `Access-Control` headers are not stripped by later ACLs.

Published: 2028-05-08Updated: 2028-05-101 min read

haproxycorsload-balancer

TLS termination

When TLS ends at HAProxy, `https` origins must match `req.hdr(Host)` normalization.

OCSP stapling failures can break clients before CORS—alert separately.

Abuse detection uses stick tables—do not correlate with CORS origin alone.