fix(cors): expose Request-Context header for App Insights correlation#473
Open
RodriSanchez1 wants to merge 1 commit into
Open
fix(cors): expose Request-Context header for App Insights correlation#473RodriSanchez1 wants to merge 1 commit into
RodriSanchez1 wants to merge 1 commit into
Conversation
Cross-origin JavaScript can only read response headers listed in Access-Control-Expose-Headers. Exposing Request-Context lets the browser App Insights SDK read the server appId so dependencies are attributed to the Cboard API component on the Application Map. Part of #472 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
exposedHeaders: ['Request-Context']to the cors configuration so cross-origin clients can read the App InsightsRequest-Contextresponse header.Closes #472 (API side).
Why
The Node App Insights SDK stamps every response with
Request-Context: appId=..., which the browser SDK uses to attribute its dependency telemetry to the "Cboard API" component on the Application Map. CORS only lets cross-origin JavaScript read response headers explicitly listed inAccess-Control-Expose-Headers, so without this change the header is invisible to the web app and the API shows up as an unmonitored external dependency.No
allowedHeaderslist was added on purpose: thecorsmiddleware currently reflects the preflight'sAccess-Control-Request-Headers, which already permitstraceparent/Request-Idon incoming requests — pinning an explicit list could only break callers.Companion change
Full client↔server correlation also needs the frontend to stop excluding the API domain from correlation headers: revert
'*.cboard.io'back to'cbuilder.cboard.io'insrc/appInsights.js(cboard-org/cboard@5ea5084). Rollout order: deploy this PR first (additive, cannot break existing clients), then the frontend change against QA.Testing
Access-Control-Expose-Headers: Request-Contextand that browser/server telemetry share oneoperation_Idonce the frontend change lands.🤖 Generated with Claude Code