Tests cover: - OPTIONS preflight returns 204 with no body and skips next handler - CORS headers added to GET/POST responses - Origin header echoed back; wildcard used when absent - Correct allowed methods (GET, POST, OPTIONS) - Correct allowed headers (Content-Type, Accept, X-Requested-With) - Rate limit headers exposed to browser clients - Max-Age 3600 and Vary: Origin for correct cache behaviour - Access-Control-Allow-Credentials intentionally absent (security boundary) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| Api | ||
| Website/Api | ||