Blog

Private Network Access: when public sites probe localhost and CORS meets mixed security reviews

Browsers may preflight requests to private IPs; servers must opt in with Access-Control-Allow-Private-Network when policy allows.

Published: 2026-07-08Updated: 2026-07-101 min read

securitybrowsercors

Developer workflows

Exposing a dev API on 127.0.0.1 while testing a hosted SPA can trigger PNA checks before your normal CORS headers matter.

Use tunnels or staging hosts on public DNS instead of relying on permissive local binds.

Split-horizon DNS can make internal hostnames resolve differently for employees—validate CORS and PNA together.

Security teams may block ambiguous preflight patterns at the proxy layer.