/s/<form-id> endpoint includes permissive CORS headers so you can post from different domains without extra configuration.
This is especially useful for static sites, Jamstack apps, and client-side forms.
Default CORS behavior
Access-Control-Allow-Origin: *Access-Control-Allow-Methods: POST, OPTIONSAccess-Control-Allow-Headers: Content-Type, Authorization
OPTIONS preflight requests.
If you self-host and want stricter CORS rules, place Formbase behind a proxy that enforces allowed origins.