Route level CORS config overrides connection level defaults
Published: December 28th, 2015
Reported by: Eran Hammer
When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins
You should install hapi v11.1.4 or newer if you combine server level, connection level, or route level CORS configuration.