Hi Shivam,
We have encountered this same behaviour in Constellation and the key point is that it is not caused by the Pega application or the AppStatic service itself.
In Constellation architecture, all static UI assets under
/c11n-appstatic/*
are not served by the Pega engine. They are delivered directly by whatever load balancer or reverse proxy sits in front of the environment (for example AWS Application Load Balancer).
Because of that
1. Pega CORS rules do not apply to AppStatic
Pega’s CORS configuration is only evaluated for
AppStatic requests do not reach the Pega engine, so Pega cannot control the CORS headers for them.
2. The CORS behaviour you are seeing is coming from the load balancer
If the load balancer is configured with:
…then it will appear as if AppStatic “allows all origins”, even though Pega has no involvement.
This matches exactly what we saw, the LB was dynamically reflecting the Origin header.
3. The fix must be applied at the load balancer / reverse proxy
To lock this down, configure CORS at the LB (or reverse proxy) using non‑reflective, allow‑listed rules, for example:
-
Set Access-Control-Allow-Origin to explicit trusted origins only
-
Do not reflect $http_origin or ${origin}
-
Restrict methods to GET and OPTIONS (static assets don’t need POST)
-
Keep allowed headers minimal
-
Return 403 or omit ACAO for untrusted Origins
-
Scope rules only to /c11n-appstatic/* so API traffic is unaffected
Once the LB is configured with a strict allow‑list, the issue is resolved.
4. Important reassurance
AppStatic contains only static Constellation UI resources (JS bundles, CSS, component metadata, images, localisation files).
It does not contain case data, user data, or API responses, so the concern is around CORS misconfiguration, not sensitive data exposure.
Pega SR Reference : INC-D12705