---
# quotesdb-xg67
title: '[TRIAGE] Local dev CORS and Trunk API proxy config (trunk serve proxying to api on different port)'
status: completed
type: task
priority: critical
created_at: 2026-03-10T23:32:09Z
updated_at: 2026-03-10T23:32:09Z
---
This is a triage decision ticket. It must be resolved before dependent implementation tickets can proceed.
Local dev CORS and Trunk proxy config: during `trunk serve`, the UI runs on one port and the API on another. How do we handle cross-origin API calls in development?
1. **Trunk proxy** — configure Trunk to proxy `/api/*` requests to the API server. No CORS needed. Add to `Trunk.toml`.
2. **CORS middleware on API** — add `tower-http` CORS middleware to the Axum router, allowing localhost origins in development.
3. **Same-origin in production** — in production, both are served from the same Cloudflare account; in dev, use the Trunk proxy.
**Chosen approach: Option 1 — Trunk proxy.**
Rationale:
- Mirrors the production architecture: Cloudflare routes `/api/*` to the Worker at the same domain as the Pages site. No CORS configuration is needed in production either.
- Frontend uses **relative URLs** (`/api/quotes`, not `http://localhost:3000/api/quotes`). The same paths work in both dev (Trunk proxies them) and production (Cloudflare routes them).
- Zero CORS configuration: no `tower-http` CORS middleware, no `Access-Control-Allow-Origin` headers. Simpler API, smaller attack surface.
- Port: API runs on `localhost:3000` via `cargo run` (plain Axum/Tokio for local dev).
Implementation:
- `Trunk.toml` — add `[[proxy]] rewrite = "/api" backend = "http://localhost:3000"`. See ticket 00d6d7.
- `src/bin/ui/api.rs` — use relative URLs only. See ticket 1e6a09.
Updated tickets: dc3d2b (Trunk.toml setup), 1e6a09 (API client module).
Created ticket: 00d6d7 (dedicated implementation task for the proxy config).
`chore(quotesdb): resolve triage — local-dev-cors-and-trunk-api-proxy-config-trunk-serve-proxyi`