Server-Sent Events (SSE) and CORS: long-lived connections in the browser

EventSource uses GET by default; custom headers are limited compared to fetch, which changes how auth is modeled.

For cross-origin SSE, ensure Access-Control-Allow-Origin matches and consider exposing retry timing headers if needed.

Some reverse proxies buffer streaming responses—disable buffering for SSE routes explicitly.

Health checks should not share the same timeout profile as long-lived user streams.