Blog

NestJS with Helmet: CORS middleware order, security headers, and OPTIONS handling before auth guards

Register CORS before rate limiting and authentication so preflight requests receive headers even when JWT cookies are absent.

Published: 2027-06-01Updated: 2027-06-031 min read

nestjshelmetcors

GraphQL and REST together

When both HTTP and GraphQL endpoints exist, duplicate CORS options or centralize in a single bootstrap configuration.

Subscriptions over WebSockets need separate handshake origin checks aligned with HTTP CORS.

Nest microservice transports do not use browser CORS—only document HTTP gateways that browsers call.

gRPC-to-REST gateways must translate metadata without dropping Vary: Origin on cached responses.