Blog
Webhooks vs browser fetch: where CORS does not apply
Server-to-server callbacks avoid CORS entirely—validate signatures and replay protection instead.
1 min read
webhooksarchitecturecors
Different threat model
Inbound HTTP to your API from a partner server is not subject to browser same-origin rules.
Authenticate using shared secrets, mTLS, or signed payloads rather than origin reflection.
When users still need CORS
Dashboards that call your REST API from a browser still need CORS for those endpoints.
Keep webhook ingestion and SPA traffic on separate routes to simplify policies.