Skip to content

fix(cors): expose Request-Context header for App Insights correlation#473

Open
RodriSanchez1 wants to merge 1 commit into
masterfrom
fix/appinsights-cors-expose-request-context
Open

fix(cors): expose Request-Context header for App Insights correlation#473
RodriSanchez1 wants to merge 1 commit into
masterfrom
fix/appinsights-cors-expose-request-context

Conversation

@RodriSanchez1

Copy link
Copy Markdown
Collaborator

Summary

Adds exposedHeaders: ['Request-Context'] to the cors configuration so cross-origin clients can read the App Insights Request-Context response header.

Closes #472 (API side).

Why

The Node App Insights SDK stamps every response with Request-Context: appId=..., which the browser SDK uses to attribute its dependency telemetry to the "Cboard API" component on the Application Map. CORS only lets cross-origin JavaScript read response headers explicitly listed in Access-Control-Expose-Headers, so without this change the header is invisible to the web app and the API shows up as an unmonitored external dependency.

No allowedHeaders list was added on purpose: the cors middleware currently reflects the preflight's Access-Control-Request-Headers, which already permits traceparent/Request-Id on incoming requests — pinning an explicit list could only break callers.

Companion change

Full client↔server correlation also needs the frontend to stop excluding the API domain from correlation headers: revert '*.cboard.io' back to 'cbuilder.cboard.io' in src/appInsights.js (cboard-org/cboard@5ea5084). Rollout order: deploy this PR first (additive, cannot break existing clients), then the frontend change against QA.

Testing

  • Additive header change only; no behavioral change for existing clients.
  • After deploy, verify a response includes Access-Control-Expose-Headers: Request-Context and that browser/server telemetry share one operation_Id once the frontend change lands.

🤖 Generated with Claude Code

Cross-origin JavaScript can only read response headers listed in
Access-Control-Expose-Headers. Exposing Request-Context lets the
browser App Insights SDK read the server appId so dependencies are
attributed to the Cboard API component on the Application Map.

Part of #472

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Client-server telemetry correlation broken: browser and API report different operation ids in App Insights

1 participant