Stealth CORS with Origin Reflection and Reliable Logging

Caddyfile

@@ -3,23 +3,23 @@
 }
 
 ai-gateway.ldex.dev {
-    # Log all requests to stdout
     log {
         output stdout
     }
 
-    # 1. Force CORS headers and DELETE duplicates from backend
+    # Stealth CORS: Reflect the requester's origin instead of using "*"
+    # This avoids the "*, *" duplication and looks less suspicious to Zscaler
     header {
-        -Access-Control-Allow-Origin
-        -Access-Control-Allow-Methods
-        -Access-Control-Allow-Headers
-        Access-Control-Allow-Origin *
+        Access-Control-Allow-Origin "{header.Origin}"
         Access-Control-Allow-Methods "GET, POST, OPTIONS"
         Access-Control-Allow-Headers "*"
         Access-Control-Expose-Headers "*"
+        Access-Control-Allow-Credentials "true"
+        # 'defer' ensures we override any headers sent by the backend
+        defer
     }
 
-    # 2. Immediately handle OPTIONS requests
+    # Handle preflights immediately
     @options {
         method OPTIONS
     }
@@ -27,6 +27,5 @@ ai-gateway.ldex.dev {
         respond "" 204
     }
 
-    # 3. Proxy everything else
     reverse_proxy ai-gateway:8000
 }