← Docs
Recipe

CORS Design

A complete pattern for cross-origin resource sharing in Meridian APIs — preflight handling, credential modes, and wildcard restrictions.

Problem

Browsers block cross-origin requests by default. Without explicit CORS headers, your dashboard, CLI tools, and third-party integrations fail silently with opaque network errors.

Solution

Configure the Meridian API gateway to echo precise Access-Control-Allow-Origin headers. Never use * when credentials are involved — browsers reject the combination per the Fetch spec.

Preflight Flow

  1. Browser sends OPTIONS with Origin and Access-Control-Request-Method.
  2. Server responds with allowed methods, headers, and max age.
  3. Browser caches preflight for Access-Control-Max-Age seconds.
  4. Actual request proceeds with credentials if Access-Control-Allow-Credentials: true is present.

Key Rules

  • Mirror the request Origin — never hardcode a single domain unless the API is private.
  • Set Vary: Origin so CDNs don't cache the wrong CORS response.
  • Expose custom headers via Access-Control-Expose-Headers if the client needs to read them in JavaScript.
Back to DocsNext: Rate Limiting →