CORS configuration lets your web app safely ask for data from your Supabase backend even if they are on different websites.
cors:
allowed_origins:
- 'https://example.com'
- 'https://another-site.com'
allowed_methods:
- GET
- POST
allowed_headers:
- Content-Type
- Authorizationallowed_origins is a list of website addresses allowed to access your backend.
You can specify which HTTP methods and headers are allowed for security.
https://myapp.com to access your Supabase backend.cors:
allowed_origins:
- 'https://myapp.com'cors:
allowed_origins:
- '*'cors:
allowed_origins:
- 'https://site1.com'
- 'https://site2.com'
allowed_methods:
- GET
- POST
allowed_headers:
- AuthorizationThis configuration allows only https://myfrontend.com to call your Supabase backend using GET and POST requests. It also allows the headers Content-Type and Authorization for these requests.
cors:
allowed_origins:
- 'https://myfrontend.com'
allowed_methods:
- GET
- POST
allowed_headers:
- Content-Type
- AuthorizationAlways restrict allowed_origins to trusted websites to keep your backend safe.
Using '*' for origins allows any website but can expose your backend to risks.
Test your CORS settings by trying to access your backend from different websites.
CORS controls which websites can talk to your Supabase backend.
Set allowed origins, methods, and headers to keep your data safe.
Use specific origins instead of '*' for better security.