Currently I have an allow policy on a subdomain (
sub.domain.com) that blocks all access unless you are authorised through CF access.
I added two extra rules to expose two public endpoints.
I want to have CORS = “*” to the public endpoint, so I added the CORS rules to the application.
I can see that the CORS headers are applied correctly to all routes by the two bypass rules.
This is a bit unexpected because there is no option to customise CORS rules in bypass.