Blog

Traefik Ingress: CORS headers via middleware, Kubernetes labels, and TCP versus HTTP routers

Attach CORS middleware to HTTP routers only; raw TCP services never see Origin headers from browsers.

Published: 2027-07-02Updated: 2027-07-041 min read

traefikkubernetescors

TLS and ACME

Automatic certificates must cover every hostname your SPA uses in Allow-Origin—wildcard certs simplify but widen blast radius.

HTTP-01 challenges may briefly serve different hosts—ensure CORS middleware applies during renewals.

Traefik access logs should include Origin for debugging preflight storms during incidents.

Metrics on middleware execution time help separate CORS CPU cost from upstream latency.