Skip to Content

CORS

CORS headers are applied to all /api/* routes by the root middleware (proxy.ts).

CORS_ORIGINS defaults to empty, which blocks all cross-origin requests. You must explicitly list allowed origins for production.

Common Configurations

Allow a specific domain

CORS_ORIGINS=https://app.example.com

Allow multiple domains

CORS_ORIGINS=https://app.example.com,https://admin.example.com

Allow wildcard subdomains

CORS_ORIGINS=*.example.com
CORS_ORIGINS=https://app.example.com CORS_ALLOW_CREDENTIALS=true

When CORS_ALLOW_CREDENTIALS=true, the Origin header is echoed back instead of *. The wildcard * is incompatible with credentials: include. Always use explicit origins when credentials are enabled.

Disable CORS entirely (same-origin only)

CORS_ENABLED=false

All Variables

See Environment Variables for the full variable reference.

Last updated on