Configuring CORS

It is possible to configure the CORS policy of the search API, to limit which hosts can make search requests through a browser.

This is done either through the UI or using the GeneralSettings endpoints in the admin API. To set the allowed hostnames, simply add them to the list in the settings, and requests from other sources will be rejected. If the list is empty, any hostname will be allowed to make search requests.

It is generally recommended to restrict allowed hostnames to just the sites that need access to the search API.


Given a configuration with an empty list of hostnames, it is currently possible to make search requests from any host. To restrict CORS, the hostname can be added to the list of allowed hostnames. This means that only requests coming from that site will be allowed in a browser.