Allowed Origins
Allowed Origins is a security feature that controls which domains can access your media sources and transformations through Cross-Origin Resource Sharing (CORS). This helps protect your media from unauthorized access while enabling legitimate cross-domain requests.
When a web browser makes a request to your media from a different domain (cross-origin request), the browser checks if that domain is allowed to access the resource. The Allowed Origins setting defines which domains have permission to make these requests.
For example, if your media is hosted on media.example.com but your website runs on www.example.com, you’ll need to configure allowed origins to permit cross-domain access.
Configuration
Section titled “Configuration”Allowed origins are configured as part of your space’s media settings security configuration:
Default Setting
Section titled “Default Setting”By default, all origins are allowed using the wildcard "*". This provides maximum flexibility but minimal security.
Origin Format
Section titled “Origin Format”Origins must be specified in full URL format including the protocol:
✅ Correct formats:
"https://www.example.com""https://app.*.com:3000""http://localhost:8080""*"(wildcard for all origins)
❌ Incorrect formats:
"www.example.com"(missing protocol)"*.example.com"(subdomain wildcards not supported)"example.com"(missing protocol)
Best Practices
Section titled “Best Practices”✅ Recommended
Section titled “✅ Recommended”- Be specific: List only the domains that actually need access
- Use HTTPS: Always prefer
https://origins in production - Include ports: Specify port numbers when using non-standard ports
- Regular audits: Review and update your allowed origins periodically
❌ Avoid
Section titled “❌ Avoid”- Wildcard in production: Avoid using
"*"for production environments - HTTP in production: Don’t use
http://origins for production sites - Overly broad permissions: Don’t include domains that don’t need access