ruby
10 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins 'https://app.example.com', 'https://admin.example.com'
resource '/api/*',
headers: %w[Authorization Content-Type],
methods: %i[get post patch delete options],
credentials: true,
max_age: 600
end
end
1 file · ruby
Explain with highlit
CORS is not an authentication control, but bad CORS settings still widen attack surface unnecessarily. I allow exact origins, restrict methods and headers, and avoid wildcard credentials combinations entirely. If the front-end origin list is unclear, that is a design problem to solve, not a reason to use *.
Share this code
Here's the card — post it anywhere.