CORS and Security
Configure frontend origins, credentialed browser requests, trusted hosts, and publish requirements for Spala project APIs.
CORS and Security
Use this page when a browser frontend, mobile app, or external UI needs to call a Spala project API.
Owner Checklist
1. Open the project in the hosted dashboard. 2. Go to Settings → Security. 3. Add the exact frontend origin in CORS Allowed Origins. 4. Include the scheme, host, and port, such as https://app.example.com or http://localhost:5173. 5. Do not include URL paths. 6. Allow the request headers the frontend sends, usually Authorization and Content-Type. 7. Enable credentialed requests only when the project intentionally uses cookie sessions. 8. Save the settings. 9. Publish the backend API before asking the frontend developer to retest.
Publish after security changes
Saved CORS/security settings do not help the live API until the project is published. If curl works but browser requests fail, confirm the origin is exact and the latest settings are published.
Browser Rules
Browser CORS uses the page origin, not the API route:
https://app.example.com http://localhost:5173
Do not add paths such as https://app.example.com/dashboard.
If the frontend sends a bearer token, allow Authorization. If it sends JSON, allow Content-Type. If it uses cookies, the response must use the exact origin, not *, and must include credential support.
Cookie Sessions
Cookie sessions need a tighter contract than bearer tokens. Include these fields in the frontend handoff:
| Field | What to specify | | --- | --- | | Credential mode | include, same-origin, or none | | Cookie SameSite | Lax, Strict, or None | | Cookie Secure | Required for cross-site HTTPS cookies | | Domain/path | Which frontend and API hosts receive the cookie | | CSRF | Header name and source, or not required | | Logout | Local clear, server revoke, cookie expiry, or a combination |
Verification
After publishing, test one preflight-shaped browser request and one real request from the frontend origin.
OPTIONS /api/cases HTTP/1.1 Origin: https://app.example.com Access-Control-Request-Method: POST Access-Control-Request-Headers: authorization, content-type
Expected shape:
Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS Access-Control-Allow-Headers: Authorization, Content-Type
For credentialed requests:
Access-Control-Allow-Credentials: true
Handoff Fields
Add these fields to External Frontend Handoff:
- Frontend origin - Whether the origin is saved in Settings → Security - Whether the backend was republished after the change - Required request headers - Whether credentials are enabled - Cookie and CSRF details if used
External Frontend Handoff /guides/frontend-handoff Copy the complete frontend packet Frontend Integration Cookbook /guides/frontend-integration Use CORS with auth, uploads, and realtime Publish /features/publish-export Publish security changes to the live API API Docs /features/api-docs Share REST contracts with frontend builders