Blog

Linkerd and CORS: where to terminate browser traffic versus mesh mTLS

Terminate TLS and CORS at the ingress; sidecar proxies handle mTLS between pods without changing browser CORS.

Published: 2026-05-08Updated: 2026-05-101 min read

linkerdservice-meshcors

Split deployments

Edge clusters may run different Linkerd versions than data clusters—test header behavior per environment.

Service profiles affect retries; duplicate preflight retries can amplify load on backends.

Use tap and metrics to see if 502s originate from mesh timeouts rather than CORS.

Compare with meshed versus unmeshed paths to isolate issues.