QR Code Generator uses an explicit origin allowlist to control cross-origin access. Rather than using a wildcard (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/dadu0699/qr-code/llms.txt
Use this file to discover all available pages before exploring further.
*) that would allow any origin, the service reflects the request Origin header back to the caller only when that origin appears in the ALLOWED_ORIGINS environment variable. Requests from origins not on the list — or same-origin requests that carry no Origin header at all — receive no Access-Control-Allow-Origin header, and the browser enforces its default same-origin policy.
How CORS Works in This Service
ThebuildCorsHeaders function in src/lib/http.ts is called by every API endpoint to build the response headers for both regular requests and OPTIONS preflight requests.
Access-Control-Allow-Origin only when the incoming Origin matches the allowlist. The Vary: Origin header is always present to prevent shared caches from serving one origin’s CORS response to a different origin.
Response Headers
Every API response includes the following headers, regardless of whether the origin is allowed:| Header | Value | Notes |
|---|---|---|
Access-Control-Allow-Origin | Reflected request Origin | Only included when the origin is in the allowlist; omitted otherwise |
Access-Control-Allow-Methods | Endpoint-specific (e.g. GET, OPTIONS) | Set per endpoint |
Access-Control-Allow-Headers | Content-Type | Fixed value |
Access-Control-Max-Age | 86400 | Preflight cache duration: 24 hours |
Vary | Origin | Always set; prevents cache poisoning across origins |
Preflight Requests
All API endpoints handle the HTTPOPTIONS method for CORS preflight. When a browser sends a preflight OPTIONS request, the endpoint calls preflightResponse which returns an empty 204 No Content response with the full set of CORS headers.
Access-Control-Max-Age: 86400 header tells the browser to cache the preflight result for 24 hours, reducing the number of preflight round-trips for repeat requests to the same endpoint.
Setting Up ALLOWED_ORIGINS
Set theALLOWED_ORIGINS variable in wrangler.jsonc to a comma-separated list of the origins that need cross-origin access to the API.
Behavior Reference
The table below summarises how the service responds under different request scenarios:| Scenario | Origin header | In allowlist | Result |
|---|---|---|---|
| Same-origin request | absent | n/a | No Access-Control-Allow-Origin header; browser allows the request normally |
| Cross-origin, allowed | present | yes | Access-Control-Allow-Origin reflects the request origin; browser permits the response |
| Cross-origin, blocked | present | no | No Access-Control-Allow-Origin header; browser blocks the response |
Common Configurations
Single production domain
Allow one frontend domain in production:
Multiple environments
Allow both production and staging frontends: