0
0
Supabasecloud~10 mins

CORS configuration in Supabase - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - CORS configuration
Client sends request
Browser sets Origin
Request reaches Supabase API
Supabase checks allowed origins
Response sent
Browser accepts
When a client sends a request, the browser includes the Origin header. Supabase checks if the origin is allowed. If allowed, it responds with CORS headers; if not, the browser blocks the response due to missing CORS headers.
Execution Sample
Supabase
// Origin: https://example.com (automatically set by browser)
await supabase.from('test').select('*');
This simulates a client request from 'https://example.com' to Supabase with an Origin header.
Process Table
StepActionOrigin HeaderCORS Allowed OriginsCORS Check ResultRequest Outcome
1Client sends requesthttps://example.comhttps://example.com, https://app.example.comOrigin matches allowed listRequest proceeds
2Supabase receives requesthttps://example.comhttps://example.com, https://app.example.comOrigin allowedResponse sent with CORS headers
3Browser receives responsehttps://example.comhttps://example.com, https://app.example.comCORS headers presentBrowser accepts response
4Client sends requesthttps://malicious.comhttps://example.com, https://app.example.comOrigin not in allowed listRequest blocked
5Browser blocks responsehttps://malicious.comhttps://example.com, https://app.example.comNo CORS headersBrowser blocks response
💡 Requests from origins not in the allowed list are blocked by the browser due to missing CORS headers.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4After Step 5
Origin HeaderNonehttps://example.comhttps://example.comhttps://example.comhttps://malicious.comhttps://malicious.com
CORS Allowed Originshttps://example.com, https://app.example.comhttps://example.com, https://app.example.comhttps://example.com, https://app.example.comhttps://example.com, https://app.example.comhttps://example.com, https://app.example.comhttps://example.com, https://app.example.com
CORS Check ResultNoneAllowedAllowedAllowedNot AllowedNot Allowed
Request OutcomeNoneProceedResponse SentAcceptedBlockedBlocked
Key Moments - 2 Insights
Why does the browser block the request from 'https://malicious.com' even though the request reaches Supabase?
Because 'https://malicious.com' is not in the allowed origins list, Supabase does not send CORS headers. The browser sees this and blocks the response as shown in steps 4 and 5.
What happens if the Origin header matches one of the allowed origins?
Supabase includes CORS headers in the response, so the browser accepts the response and allows the client to use it, as shown in steps 1 to 3.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the CORS Check Result at Step 4?
AAllowed
BNot Allowed
CPending
DUnknown
💡 Hint
Check the 'CORS Check Result' column for Step 4 in the execution table.
At which step does the browser accept the response?
AStep 3
BStep 2
CStep 4
DStep 5
💡 Hint
Look at the 'Request Outcome' column to find when the browser accepts the response.
If we add 'https://malicious.com' to the allowed origins, what changes in the execution table?
AStep 1 Origin Header changes
BStep 5 Request Outcome remains Blocked
CStep 4 CORS Check Result becomes Allowed
DNo changes occur
💡 Hint
Adding an origin to allowed origins affects the CORS Check Result for requests from that origin.
Concept Snapshot
CORS configuration controls which website origins can access Supabase APIs.
Set allowed origins in Supabase settings.
Browser sends Origin header with requests.
Supabase responds with CORS headers if origin allowed.
Browser blocks responses without matching CORS headers.
Proper CORS setup prevents unauthorized cross-site requests.
Full Transcript
CORS configuration is a security feature that controls which websites can access Supabase APIs. When a client sends a request, the browser includes the Origin header. Supabase checks if this origin is in its allowed list. If yes, it sends back CORS headers allowing the browser to accept the response. If not, the browser blocks the response to protect the user. This flow ensures only trusted websites can interact with Supabase resources.