Closed taowang1993 closed 1 month ago
The CORS environment variables in Dify are used to set cross-origin access policies. Specifically:
CONSOLE_CORS_ALLOW_ORIGINS
: This sets the CORS policy for the console. By default, it is set to *
, allowing access from all domains.WEB_API_CORS_ALLOW_ORIGINS
: This sets the CORS policy for the web application. By default, it is also set to *
, allowing access from all domains.If you set these variables to your own domain, it will restrict access to only your specified domain, thereby preventing others from embedding your chatbot. For example:
CONSOLE_CORS_ALLOW_ORIGINS=my-frontend-domain
WEB_API_CORS_ALLOW_ORIGINS=my-frontend-domain
This configuration ensures that only requests from my-frontend-domain
are allowed, preventing unauthorized embedding of your chatbot [1][2].
To continue talking to Dosu, mention @dosu.
I already set them to my own domain. WEB_API_CORS_ALLOW_ORIGINS=https://riverhill.ai CONSOLE_CORS_ALLOW_ORIGINS=https://riverhill.ai But I can still embed the chatbot on other domains. I want to make sure the chatbot only works on my domain.
To ensure that your chatbot only works on your domain, you need to set additional environment variables beyond WEB_API_CORS_ALLOW_ORIGINS
and CONSOLE_CORS_ALLOW_ORIGINS
. Here are the steps you should follow:
export CONSOLE_API_URL="https://riverhill.ai/api/console"
export CONSOLE_WEB_URL="https://riverhill.ai/console"
export SERVICE_API_URL="https://riverhill.ai/api/service"
export APP_API_URL="https://riverhill.ai/api/app"
export APP_WEB_URL="https://riverhill.ai/app"
WEB_API_CORS_ALLOW_ORIGINS
and CONSOLE_CORS_ALLOW_ORIGINS
are set to your domain:export WEB_API_CORS_ALLOW_ORIGINS="https://riverhill.ai"
export CONSOLE_CORS_ALLOW_ORIGINS="https://riverhill.ai"
export const isMyDomain = () => {
return document.referrer.includes('riverhill.ai')
}
By setting these environment variables and adding a referrer check in your code, you can ensure that your chatbot only works on your specified domain [1][2].
To continue talking to Dosu, mention @dosu.
Self Checks
Provide a description of requested docs changes
If set these variables to my own domain, does it prevent others from embedding my chatbot? The iframe already exposes the url, people can just copy the iframe code and embed my chatbot.
CONSOLE_CORS_ALLOW_ORIGINS=my-frontend-domain WEB_API_CORS_ALLOW_ORIGINS=my-frontend-domain