CORS for Fly.io Deployments: Patterns, Tradeoffs, and Gotchas
If you deploy APIs on Fly.io, CORS usually stops being “just a browser thing” the moment your frontend hits production. Locally, everything works. Then your app lands behind Fly Proxy, gets a custom domain, maybe a second region, and suddenly your browser starts yelling about preflights and missing Access-Control-Allow-Origin. The good news: Fly.io doesn’t make CORS unusually hard. The bad news: Fly.io also doesn’t magically solve it for you. You still need to decide where CORS lives, how strict it should be, and how it behaves across preview apps, custom domains, and edge-facing traffic. ...