When deploying caddy for a health-care company, I thought I’d save some time by using the CORS module. Unfortunately, the CORS module exhibited some strange behavior. Due to limited time, I had to remove it and implement my own CORS handler in my endpoints.
I apologize for not having diagnosed this while deploying. I just want to mention that for those of you deploying anything requiring CORS (such REST and JSON-RPC endpoints), it’s easy enough to handle within your application, if you utilize a good CORS flowchart to design it.
In my case, all my REST and JSON-RPC endpoints are using my own CORS handler, which does not compromise on complying with standards and best practices. In particular, my environment requires a dynamic value for the Access-Control-Allow-Origin header (never “*” wildcard), based on information contained within the authorization bearer JWT.
If anyone needs help with what flow to follow when implementing their own CORS, please simply drop me a note.