Skip to content

fix(devserver): add x-bt-use-gateway to CORS allowed headers#119

Merged
Curtis Galione (cjgalione) merged 1 commit intomainfrom
fix/devserver-cors-add-use-gateway-header
Mar 23, 2026
Merged

fix(devserver): add x-bt-use-gateway to CORS allowed headers#119
Curtis Galione (cjgalione) merged 1 commit intomainfrom
fix/devserver-cors-add-use-gateway-header

Conversation

@cjgalione
Copy link
Contributor

@cjgalione Curtis Galione (cjgalione) commented Mar 23, 2026

Summary

  • Add x-bt-use-gateway to ALLOWED_HEADERS in the Python devserver CORS config, matching what api-ts/src/cors.ts already allows
  • Add a test that verifies CORS preflight accepts this header

Context

The Braintrust Playground sends x-bt-use-gateway: true when gateway routing is enabled. The main data plane (api-ts) added this header to its CORS allowlist in Feb (commit ee5f4f65e0), but the Python SDK devserver was never updated to match.

This causes browsers to block preflight OPTIONS requests to any remote eval server built on braintrust.devserver, with an error like:

Request header field x-bt-use-gateway is not allowed by Access-Control-Allow-Headers

Multiple demo projects (pydantic-supervisor, langgraph-supervisor, google-adk-supervisor) independently worked around this by monkey-patching bt_cors.ALLOWED_HEADERS at startup. This fix addresses it at the source.

Test plan

  • New test test_cors_preflight_allows_gateway_header sends an OPTIONS request with x-bt-use-gateway and asserts it appears in the response's access-control-allow-headers
  • All existing devserver integration tests continue to pass

@cjgalione
fix(devserver): add x-bt-use-gateway to CORS allowed headers
42afcfd 
The Braintrust Playground sends x-bt-use-gateway when gateway routing
is enabled. The api-ts CORS config already allows it, but the Python
devserver's ALLOWED_HEADERS list was missing it, causing browsers to
block preflight requests to remote eval servers with a CORS error.
AbhiPrasad
Abhijeet Prasad (AbhiPrasad) approved these changes Mar 23, 2026
View reviewed changes
Copy link
Member

@AbhiPrasad Abhijeet Prasad (AbhiPrasad) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ty ty

@cjgalione Curtis Galione (cjgalione) merged commit 824861d into main Mar 23, 2026
32 of 33 checks passed
@cjgalione Curtis Galione (cjgalione) deleted the fix/devserver-cors-add-use-gateway-header branch March 23, 2026 22:48
@AbhiPrasad Abhijeet Prasad (AbhiPrasad) mentioned this pull request Mar 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AbhiPrasad Abhijeet Prasad (AbhiPrasad) AbhiPrasad approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cjgalione @AbhiPrasad