What is the main reason to configure CORS (Cross-Origin Resource Sharing) in a Supabase project?
Think about why browsers restrict web pages from calling APIs on different domains.
CORS is a security feature that controls which web pages from other origins can access your Supabase APIs. It prevents unauthorized cross-origin requests.
You want to allow only your website https://myapp.example.com to access your Supabase API. Which CORS origin setting is correct?
Remember CORS origins must include the scheme (http or https) and be exact.
Only the exact origin with https scheme matches your website. Using * allows all origins, which is insecure. Omitting scheme or using http is incorrect.
If you set CORS origin to * in Supabase, what is a likely security risk?
Think about what allowing all origins means for API access.
Setting CORS to * means any website can call your API, risking data exposure or misuse if authentication is weak.
What happens when a browser calls a Supabase API from an origin not listed in the CORS configuration?
Consider how browsers enforce CORS policies on responses.
If the response lacks the correct CORS headers for the calling origin, browsers block frontend JavaScript from accessing the response, even if the server sends data.
You have two frontend apps: https://app1.example.com and https://app2.example.com. How should you configure CORS in Supabase to allow both securely?
Check how Supabase expects multiple origins to be listed.
Supabase allows multiple origins by listing them separated by commas. Using * is insecure. Omitting subdomains or combining origins without commas is invalid.