Setup Cross-Origin Resource Sharing (CORS)

:notebook_with_decorative_cover: This is a how-to guide that will guide you through the process of setting up Cross-Origin Resource Sharing (CORS) in Discourse.

CORS is a mechanism that allows many resources (e.g., fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated.

Here’s how you can set up CORS on your Discourse site:


Before getting started, the DISCOURSE_ENABLE_CORS environmental variable must be set to true to enable CORS.

For assistance with this, see How to Set Environmental Variables.

:sparkles: If you are on a Discourse hosted site, this step has already been done, and you do not need to take any additional action to configure this.

Access Site Settings

Go to your Discourse admin panel. From there, navigate to the “Settings” tab.

Locate CORS Settings

In the “Settings” tab, use the search bar and type in cors origin. You should see the following setting related to CORS:

This setting allows you to specify the domains that are allowed to make cross-origin requests to your Discourse instance.

You should enter the exact domains here, separated by a space. Avoid using a wildcard (*) as this can pose security risks.

When adding multiple domains here, each URL should be separated. For example:

Save Changes

After you’ve made the necessary changes, don’t forget to click the Save Changes button at the bottom of the page.

Important Notes

Improper implementation of CORS (Cross-Origin Resource Sharing) can introduce potential security risks. Here are a few things to keep in mind when enabling CORS on your site:

  • Specify exact domains: Using wildcards (*) in the CORS configuration can allow any domain to interact with your server, which is a significant security risk. It’s recommended to specify exact domains.
  • Minimize exposed data: CORS should be set up to expose only the necessary data from external domains that you trust. Allowing sites you do not control CORS access is not recommended.
  • Use HTTPS: When possible, avoid allowing non-HTTPS sites in your CORS configuration, as this can expose data in an unencrypted format.

And if Google ads are in use perhaps it is better to keep hands off from this setting :wink:

CORS (and CSP) is a bit problematic because quite often a site must allow de facto everything and then it is close to useless.

1 Like