This is a how-to guide that will guide you through the process of setting up Cross-Origin Resource Sharing (CORS) in Discourse.
Here’s how you can set up CORS on your Discourse site:
Before getting started, the
DISCOURSE_ENABLE_CORS environmental variable must be set to true to enable CORS.
For assistance with this, see How to Set Environmental Variables.
If you are on a Discourse hosted site, this step has already been done, and you do not need to take any additional action to configure this.
Go to your Discourse admin panel. From there, navigate to the “Settings” tab.
In the “Settings” tab, use the search bar and type in
cors origin. You should see the following setting related to CORS:
This setting allows you to specify the domains that are allowed to make cross-origin requests to your Discourse instance.
You should enter the exact domains here, separated by a space. Avoid using a wildcard (*) as this can pose security risks.
When adding multiple domains here, each URL should be separated. For example:
After you’ve made the necessary changes, don’t forget to click the
Save Changes button at the bottom of the page.
Improper implementation of CORS (Cross-Origin Resource Sharing) can introduce potential security risks. Here are a few things to keep in mind when enabling CORS on your site:
- Specify exact domains: Using wildcards (*) in the CORS configuration can allow any domain to interact with your server, which is a significant security risk. It’s recommended to specify exact domains.
- Minimize exposed data: CORS should be set up to expose only the necessary data from external domains that you trust. Allowing sites you do not control CORS access is not recommended.
- Use HTTPS: When possible, avoid allowing non-HTTPS sites in your CORS configuration, as this can expose data in an unencrypted format.