Mutual TLS in browsers: client certificates interact with CORS but are not a substitute

Prefer short-lived access tokens after mTLS handshake completes to avoid repeated cert picker UX.

Do not echo raw certificate DN strings into Access-Control-Expose-Headers without redaction.

Expired client certs fail before HTTP; users may blame CORS—surface clear TLS errors in your status page.

Corporate proxies sometimes strip client cert handshakes—document split-tunnel requirements.