Blog

Next.js Route Handlers: setting CORS headers correctly

Use Response helpers in App Router, handle OPTIONS, and avoid caching accidental cross-origin responses.

Published: 2024-09-03Updated: 2025-03-051 min read

nextjscorsapp-router

OPTIONS and dynamic routes

Export a handler for OPTIONS alongside GET/POST when browsers preflight custom headers.

Read the Origin header at runtime and compare to an allowlist before reflecting it in Access-Control-Allow-Origin.

Both support setting headers, but verify streaming and middleware ordering if you compose multiple layers.

Do not cache personalized CORS responses at CDNs unless you vary on Origin explicitly.