DEV Community: Md Abu Sayem

🌐 CORS Policies Every Backend Developer Must Know

Md Abu Sayem — Wed, 17 Dec 2025 15:34:40 +0000

In modern web applications, frontend and backend often live on different domains. This is where CORS (Cross-Origin Resource Sharing) becomes critical. Misconfigured CORS is one of the most common backend security mistakes—and one of the easiest to avoid if you understand it well.

This article explains best-practice CORS policies that every professional backend developer should follow.

🔍 What Is CORS?

CORS is a browser security mechanism that controls how resources from one origin (domain) can be accessed by another origin.

📌 Important:

CORS is enforced by the browser, but configured by the backend.

❌ The Most Common CORS Mistake

Access-Control-Allow-Origin: *

This allows any website to call your API.

⚠️ If your API uses cookies, tokens, or sessions, this is a serious security risk.

✅ Best Practices for Secure CORS Configuration

1️⃣ Use an Allowlist of Trusted Origins

Always allow only known domains:

const allowedOrigins = [
  'https://app.example.com',
  'https://admin.example.com'
];

This prevents malicious websites from accessing your backend.

2️⃣ Never Use Wildcards with Credentials

If you use:

Cookies
JWT in headers
Sessions

Then you must specify exact origins.

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://app.example.com

❌ * is not allowed with credentials.

3️⃣ Limit Allowed HTTP Methods

Only allow what your API actually needs:

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Avoid allowing unused methods like PATCH or OPTIONS unnecessarily.

4️⃣ Restrict Allowed Headers

Explicitly define allowed headers:

Access-Control-Allow-Headers: Content-Type, Authorization

This reduces attack surface.

5️⃣ Handle Preflight (OPTIONS) Requests Properly

Browsers send OPTIONS requests before certain API calls.

✔️ Best practice:

Respond quickly
No authentication required
Return 204 No Content

6️⃣ Environment-Based CORS Rules

Environment	Policy
Development	Allow `localhost`
Staging	Allow test domains
Production	Strict allowlist

This keeps development easy and production secure.

7️⃣ Do Not Treat CORS as Security

CORS does NOT replace:

Authentication
Authorization
Rate limiting
Input validation

Attackers can still call your API directly using tools like Postman or curl.

🔐 Example: Secure Node.js CORS Configuration

app.use(cors({
  origin: ['https://app.example.com'],
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true,
  maxAge: 86400
}));

🧠 Interview Tip

Q: Is CORS a frontend or backend security feature?
A: CORS is enforced by the browser, but controlled by the backend.

This answer impresses interviewers.

🚀 Final Thoughts

A good backend developer:

Uses least-privilege CORS
Avoids wildcards in production
Separates environment configurations
Understands CORS is not real security

Correct CORS configuration shows professional backend maturity.

Global Server Load Balancing (GSLB): Modern Application Delivery-এর Global Backbone

Md Abu Sayem — Thu, 11 Dec 2025 06:18:22 +0000

আজকের digital world-এ organizations চায় তাদের IT systems 24/7 available থাকুক। এখন applications আর এক জায়গায় host করা হয় না—private datacenter, public cloud আর hybrid cloud মিলিয়ে multi-region architecture খুবই common হয়ে গেছে। AMER, EMEA এবং APAC-এর মতো globally distributed user base support করতে হলে সবচেয়ে গুরুত্বপূর্ণ technology হলো Global Server Load Balancing (GSLB).

What is GSLB?

Global Server Load Balancing (GSLB) হলো এমন একটি intelligent traffic distribution system, যা globally spread data center বা cloud region-গুলোর মধ্যে user requests smartly route করে।

এটা basically একটি geo-aware, performance-driven traffic controller, যা ensures করে:

User যেন always nearest এবং healthiest server-এ connect হয়
কোনো region down থাকলে automatic failover হয়
High availability ও low latency always maintained থাকে

উদাহরণ:
AMER region-এর cloud outage হলে user-কে automatically EMEA বা APAC region-এ redirect করা হবে—কোনো manual সেটিংস ছাড়া।

Why Organizations Need GSLB

আজকে অনেক কোম্পানি worldwide multi-country এবং multi-region markets-এ operate করে। তাই শুধু local load balancing ব্যবহার করলে global-scale application availability maintain করা বেশ চ্যালেঞ্জিং হয়ে যায়।

GSLB use করার key reasons:

1. Performance Optimization
GSLB continuously monitors site-level health এবং load। যদি কোনো site overloaded হয়, traffic automatically অন্য region-এ shift হয়।
Result:
Faster response time + Better user experience.

2. Scalability
Local servers overloaded হলে overflow traffic অন্য safe region-এ send করা যায়।
Meaning:
No need to over-provision servers in a single region.

3. Global Resilience
Active-active বা active-passive failover architecture support করে।
Disaster? Power outage? Region-wide failure?
GSLB simply routes traffic to other healthy locations.

4. Compliance (GDPR, Data Residency etc.)
Geo-policy rules ব্যবহার করে region-specific routing enforce করা যায়।
Example:
EU users → শুধুমাত্র EU servers.

How GSLB Works

GSLB smart routing-এর জন্য multiple algorithms ব্যবহার করে, যেমন:

Round Robin
Weighted Round Robin
Fixed Weighting
Real Server Load
Location-Based Routing
Proximity Routing (lat/long)

এগুলো help করে best possible server pick করতে—based on performance, load, or geography.

DNS Integration

GSLB heavily depends on DNS-based redirection।
FQDN health check করে এবং যদি কোনো site unavailable হয়, request-কে অন্য site-এর IP-তে redirect করে।

Real-World Example

Global tech giants যেমন Netflix, Amazon, এবং Google তাদের worldwide traffic manage করতে GSLB extensively ব্যবহার করে। উদাহরণ হিসেবে Netflix-এর কথা বলা যায়—তাদের millions of global users একসাথে streaming করে, এবং কোনো region-এ server outage বা overload হলে GSLB সঙ্গে সঙ্গে traffic অন্য healthy region-এ redirect করে।

ফলে North America-এর একটি datacenter down হলেও Europe বা Asia-Pacific-এর servers instantly workload take over করে, এবং users uninterrupted streaming experience পায়।

Challenges এবং Solutions

GSLB implement করতে গেলে কিছু hurdles আসে:

Challenges

Complex configuration
DNS integration
Global latency variation
Data sovereignty compliance
Security threats

Solutions

Standardized configuration templates
Automated DNS management
Intelligent routing policies (latency-based, geo-based)
Encrypt traffic + use Web Application Firewall (WAF)
Strict access control

Future Trends: Where GSLB is Heading

GSLB দ্রুত evolve হচ্ছে, এবং এর future আরও intelligent এবং cloud-integrated।

1. Deep Cloud Integration

AWS, Azure, GCP-এর সাথে tighter integration।

2. Multi/Hybrid-Cloud Awareness

Traffic smartly flow করবে public + private cloud environments জুড়ে।

3. Edge Computing Support

Edge nodes-এ distributed decision-making—lower latency, faster routing।

4. AI/ML Powered Routing

Predictive failover

Intelligent routing based on real-time conditions

5. Enhanced Security

Built-in DDoS protection

Advanced WAF

Role in Zero Trust architectures

Conclusion

GSLB modern global application delivery-এর জন্য একটি central technology।
এটি ensures:

High availability
Low latency
Disaster resilience
Smart traffic distribution
Better global user experience

Cloud, hybrid, এবং edge environments বাড়ার সাথে সাথে GSLB আরও powerful, intelligent এবং user-centric হয়ে উঠবে।

🚀 System Design: Functional vs Non-Functional Requirements

Md Abu Sayem — Mon, 08 Dec 2025 16:41:02 +0000

System design-এ functional এবং non-functional requirements বোঝা খুবই গুরুত্বপূর্ণ যাতে scalable এবং robust application বানানো যায়। চলুন WhatsApp-এর সাথে compare করে দেখি:

1️⃣ Functional Requirements (ফাংশনাল রিকোয়ারমেন্ট)

এগুলো define করে system কি করতে পারবে।
Example – WhatsApp:

Send এবং receive text messages ✅
Make voice এবং video calls ✅
Share multimedia (images, videos, documents) ✅
Create এবং manage groups ✅

2️⃣ Non-Functional Requirements (নন-ফাংশনাল রিকোয়ারমেন্ট)

**
এগুলো define করে system কেমন perform করবে এবং quality attributes।
Example – WhatsApp:

Performance: Messages কয়েক সেকেন্ডের মধ্যে deliver হবে ⚡
Scalability: Millions of concurrent users support করতে পারবে 🌐
Security: End-to-end encryption থাকবে 🔒
Availability: 99.99% uptime ⏱
Usability: Simple এবং intuitive interface 🖥

💡 Key takeaway:

WhatsApp-এর মতো সফল apps তৈরি করতে, Functional requirements হলো features, আর Non-functional requirements হলো experience & quality। দুটোই সমান গুরুত্বপূর্ণ।