File under “Learn something new every day.”
Long story short, we have enabled CORS in our API, but today I learned that not all headers are included.
Particularly, like Aaron, we needed to ensure that the Location header came back when a POST request created a new resource. Our solution is a bit different than his. We’re already using the EnableCorsAttribute, so Rob pointed out that we can just do this:
Like the other constructor arguments, that last can be a comma separated list. Looks legit!