Strange CORS Behavior

(Lewis De Payne) #1

When deploying caddy for a health-care company, I thought I’d save some time by using the CORS module. Unfortunately, the CORS module exhibited some strange behavior. Due to limited time, I had to remove it and implement my own CORS handler in my endpoints.

I apologize for not having diagnosed this while deploying. I just want to mention that for those of you deploying anything requiring CORS (such REST and JSON-RPC endpoints), it’s easy enough to handle within your application, if you utilize a good CORS flowchart to design it.

In my case, all my REST and JSON-RPC endpoints are using my own CORS handler, which does not compromise on complying with standards and best practices. In particular, my environment requires a dynamic value for the Access-Control-Allow-Origin header (never “*” wildcard), based on information contained within the authorization bearer JWT.

If anyone needs help with what flow to follow when implementing their own CORS, please simply drop me a note.

1 Like