i’m trying to add CORS for some of my sub-domains/domains such that only those will be able to access my strapi resources but unfortunately i’m unable to do so. I followed the documentation as per https://docs.strapi.io/dev-docs/configurations/middlewares, still no luck, I can still access strapi backend through any domain (currently testing with http://localhost:3000/ – my nextjs project (strapi running on http://localhost:1337)). I tried adding @koa/cors and added in resolutions as well but still no luck. Below are some details about the project and some related code ;-
package.json
{
"name": "blog",
"version": "0.1.0",
"private": true,
"description": "A Strapi application",
"license": "MIT",
"author": {
"name": "A Strapi developer"
},
"scripts": {
"build": "strapi build",
"dev": "strapi develop",
"start": "strapi start",
"strapi": "strapi"
},
"resolutions": {
"@koa/cors": "3.4.1"
},
"dependencies": {
"@_sh/strapi-plugin-ckeditor": "^1.1.1",
"@aws-sdk/client-secrets-manager": "^3.480.0",
"@koa/cors": "3.4.1",
"@strapi/plugin-color-picker": "^4.9.1",
"@strapi/plugin-graphql": "^4.25.2",
"@strapi/plugin-i18n": "4.25.2",
"@strapi/plugin-users-permissions": "4.25.2",
"@strapi/provider-upload-aws-s3": "^4.25.2",
"@strapi/strapi": "4.25.2",
"mysql": "^2.18.1",
"react": "^18.3.1",
"react-dom": "^18.3.1",
"react-router-dom": "^5.3.4",
"styled-components": "^5.3.11"
},
"engines": {
"node": ">=12.x.x <=16.x.x",
"npm": ">=6.0.0"
},
"strapi": {
"uuid": "ba9d89a9-e1d5-417e-acbf-c71785f9086f"
},
"devDependencies": {
"ajv": "^8.16.0"
}
}
config/middlewares.js
module.exports = ({ env }) => {
return [
"strapi::errors",
"strapi::security",
"strapi::poweredBy",
{
name: "strapi::cors",
config: {
origin: env.array("CORS"),
methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"],
headers: ["Content-Type", "Authorization", "Origin", "Accept"],
keepHeaderOnError: true,
},
},
"strapi::logger",
"strapi::query",
"strapi::body",
"strapi::favicon",
"strapi::public",
];
};
I tried to upgrade strapi to 4.25.2 but still no luck.
Expected behaviour :- if http://localhost:3000 is not in strapi’s middleware origin list, it should get CORS error and should not be able to access strapi resources.
I’ve been trying different solution as i mentioned but none worked. If someone have any idea about this problem then kindly help!
Thanks!