Skip to content

Commit 522c404

Browse files
vishrclaude
andcommitted
docs(cors): note reverse-proxy header duplication on CORS godoc
Clarify that CORS headers are written before the handler runs, so chained proxies that copy upstream CORS headers should dedupe at the proxy (ReverseProxy.ModifyResponse) rather than expect this middleware to remove duplicates. Refs #2853. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 5aa876b commit 522c404

1 file changed

Lines changed: 6 additions & 0 deletions

File tree

middleware/cors.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,12 @@ type CORSConfig struct {
125125
// misconfigurations for Bitcoins and bounties] and [Portswigger: Cross-origin
126126
// resource sharing (CORS)] for more details.
127127
//
128+
// CORS headers are written before the handler runs. Do not enable CORS on
129+
// internal upstream layers; let the edge own it. If you place this in front of a
130+
// reverse proxy that copies upstream CORS headers, dedupe at the proxy (e.g.
131+
// httputil.ReverseProxy.ModifyResponse) rather than expecting this middleware to
132+
// remove the duplicates.
133+
//
128134
// [MDN: Cross-Origin Resource Sharing (CORS)]: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS
129135
// [Exploiting CORS misconfigurations for Bitcoins and bounties]: https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
130136
// [Portswigger: Cross-origin resource sharing (CORS)]: https://portswigger.net/web-security/cors

0 commit comments

Comments
 (0)