CORS
CORS headers are applied to all /api/* routes by the root middleware (proxy.ts).
CORS_ORIGINS defaults to empty, which blocks all cross-origin requests. You must explicitly list allowed origins for production.
Common Configurations
Allow a specific domain
CORS_ORIGINS=https://app.example.comAllow multiple domains
CORS_ORIGINS=https://app.example.com,https://admin.example.comAllow wildcard subdomains
CORS_ORIGINS=*.example.comAllow credentials (e.g., cookie-based auth from a browser)
CORS_ORIGINS=https://app.example.com
CORS_ALLOW_CREDENTIALS=trueWhen CORS_ALLOW_CREDENTIALS=true, the Origin header is echoed back instead of *. The wildcard * is incompatible with credentials: include. Always use explicit origins when credentials are enabled.
Disable CORS entirely (same-origin only)
CORS_ENABLED=falseAll Variables
See Environment Variables for the full variable reference.
Last updated on