CORS for Real-Time Apps: Socket.IO and SignalR
Real-time apps make CORS weirder than plain old fetch(). A normal API request is easy to reason about: browser sends an Origin, server returns Access-Control-Allow-Origin, done. Real-time stacks like Socket.IO and SignalR add negotiation endpoints, long polling fallbacks, credentials, sticky sessions, and WebSocket upgrades. That combination creates the kind of bug where everything works locally, then production starts throwing “CORS policy blocked” while your websocket dashboard looks perfectly healthy. I’ve hit this enough times that I now treat real-time CORS as a separate problem, not just “API CORS but more.” ...