CORS Mistakes with Cloudflare Zero Trust
CORS with Cloudflare Zero Trust tends to fail in ways that look random until you understand who is actually answering the browser. That’s the first mistake: treating CORS like an app-only problem when Cloudflare is sitting in front of your app, enforcing Access policies, redirecting unauthenticated users, and sometimes answering OPTIONS before your origin ever sees it. If you’ve ever said “but my API sends Access-Control-Allow-Origin just fine” while the browser still throws a CORS error, this is probably why. ...