docs: add web callback docs #2973
Open
Claude / Claude Code Review
completed
May 22, 2026 in 10m 22s
Code review found 1 important issue
Found 5 candidates, confirmed 2. See review comments for details.
Details
| Severity | Count |
|---|---|
| 🔴 Important | 1 |
| 🟡 Nit | 1 |
| 🟣 Pre-existing | 0 |
| Severity | File:Line | Issue |
|---|---|---|
| 🔴 Important | content/docs/observability/features/web-callbacks.mdx:69 |
Misleading CORS preflight condition (JSON POSTs always trigger preflight) |
| 🟡 Nit | content/docs/observability/features/web-callbacks.mdx:110 |
Example Access-Control-Allow-Headers omits custom headers configured in Langfuse |
Annotations
Check failure on line 69 in content/docs/observability/features/web-callbacks.mdx
claude / Claude Code Review
Misleading CORS preflight condition (JSON POSTs always trigger preflight)
The prose at lines 69 and 155 says CORS preflight is needed "if you configure custom headers", but a POST with `Content-Type: application/json` (which Langfuse sends, per line 36) **always** triggers a CORS preflight regardless of any custom headers — `application/json` is not a CORS-safelisted Content-Type per the Fetch spec. The example code on lines 112–116 correctly handles `OPTIONS` unconditionally, but a reader following the prose literally could omit `OPTIONS` handling assuming they have
Check warning on line 110 in content/docs/observability/features/web-callbacks.mdx
claude / Claude Code Review
Example Access-Control-Allow-Headers omits custom headers configured in Langfuse
The example sets `Access-Control-Allow-Headers: "content-type"` but step 4 above invites users to configure "optional browser-visible headers" on the endpoint. Any custom header configured in the Langfuse UI (e.g. `X-Trace-Source`) will appear in the preflight's `Access-Control-Request-Headers` and be rejected by this static allowlist — causing a confusing CORS failure. Consider adding a comment noting that any custom headers configured in Langfuse must be appended to `Access-Control-Allow-Heade
Loading