CORS disabled on bypass rules

Currently I have an allow policy on a subdomain ( that blocks all access unless you are authorised through CF access.

I added two extra rules to expose two public endpoints.

I want to have CORS = “*” to the public endpoint, so I added the CORS rules to the application.

I can see that the CORS headers are applied correctly to all routes by the two bypass rules.

This is a bit unexpected because there is no option to customise CORS rules in bypass.

Why are you needing to set CORS on the bypass rule?

1 Like