Kong Gateway: configuring the CORS plugin safely at scale

Order matters when CORS runs alongside JWT, ACL, and request-transformer plugins—document the chain.

Use declarative config in Git with review to prevent accidental permissive changes.

Diff staging versus production CORS lists in CI to catch missing partner origins before release.

Automate smoke tests that send Origin headers from each integrated web app.