ruby 10 lines · 1 tab

Security focused CORS configuration for browser APIs

Kai Nakamura Apr 2026
1 tab
Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'https://app.example.com', 'https://admin.example.com'
    resource '/api/*',
      headers: %w[Authorization Content-Type],
      methods: %i[get post patch delete options],
      credentials: true,
      max_age: 600
  end
end
1 file · ruby Explain with highlit

CORS is not an authentication control, but bad CORS settings still widen attack surface unnecessarily. I allow exact origins, restrict methods and headers, and avoid wildcard credentials combinations entirely. If the front-end origin list is unclear, that is a design problem to solve, not a reason to use *.

Share this code

Here's the card — post it anywhere.

Security focused CORS configuration for browser APIs — share card
Link copied