Middleware & Security

CORS

Basic configuration

.middleware(|m| {
    m.with_cors(|c| {
        c.origin("https://app.example.com")
         .origin("https://www.example.com")
    })
})

Allow any origin

m.with_cors(|c| c.any_origin())

This sets Access-Control-Allow-Origin: *. Safe only for fully public, read-only APIs.

With credentials

Cookies and Authorization headers require explicit opt-in:

m.with_cors(|c| {
    c.origin("https://app.example.com")
     .allow_credentials(true)
})

Security constraint: any_origin() and .allow_credentials(true) cannot be combined. Runique rejects this configuration at build time with a BuildError.

Cache preflight duration

m.with_cors(|c| {
    c.origin("https://app.example.com")
     .max_age(3600)  // seconds, default: 3600
})

Stripe / third-party webhooks

Stripe and similar services POST directly from their servers — not from a browser. CORS does not apply to server-to-server calls. For Stripe webhooks, use .csrf_exempt() instead (and verify the Stripe-Signature header in your handler).