Improve CORS documentation
This commit is contained in:
parent
4249fcefba
commit
6623dfe7da
BIN
docs/assets/frequi_url.png
Normal file
BIN
docs/assets/frequi_url.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 11 KiB |
@ -330,12 +330,15 @@ Since the access token has a short timeout (15 min) - the `token/refresh` reques
|
||||
|
||||
### CORS
|
||||
|
||||
All web-based front-ends are subject to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) - Cross-Origin Resource Sharing.
|
||||
Since most of the requests to the Freqtrade API must be authenticated, a proper CORS policy is key to avoid security problems.
|
||||
Also, the standard disallows `*` CORS policies for requests with credentials, so this setting must be set appropriately.
|
||||
This whole section is only necessary in cross-origin cases (where you multiple bot API's running on `localhost:8081`, `localhost:8082`, ...), and want to combine them into one FreqUI instance.
|
||||
|
||||
Users can configure this themselves via the `CORS_origins` configuration setting.
|
||||
It consists of a list of allowed sites that are allowed to consume resources from the bot's API.
|
||||
??? info "Technical explanation"
|
||||
All web-based front-ends are subject to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) - Cross-Origin Resource Sharing.
|
||||
Since most of the requests to the Freqtrade API must be authenticated, a proper CORS policy is key to avoid security problems.
|
||||
Also, the standard disallows `*` CORS policies for requests with credentials, so this setting must be set appropriately.
|
||||
|
||||
Users can allow access from different origin URL's to the bot API via the `CORS_origins` configuration setting.
|
||||
It consists of a list of allowed URL's that are allowed to consume resources from the bot's API.
|
||||
|
||||
Assuming your application is deployed as `https://frequi.freqtrade.io/home/` - this would mean that the following configuration becomes necessary:
|
||||
|
||||
@ -348,5 +351,19 @@ Assuming your application is deployed as `https://frequi.freqtrade.io/home/` - t
|
||||
}
|
||||
```
|
||||
|
||||
In the following (pretty common) case, FreqUI is accessible on `http://localhost:8080/trade` (this is what you see in your navbar when navigating to freqUI).
|
||||
![freqUI url](assets/frequi_url.png)
|
||||
|
||||
The correct configuration for this case is `http://localhost:8080` - the main part of the URL including the port.
|
||||
|
||||
```jsonc
|
||||
{
|
||||
//...
|
||||
"jwt_secret_key": "somethingrandom",
|
||||
"CORS_origins": ["http://localhost:8080"],
|
||||
//...
|
||||
}
|
||||
```
|
||||
|
||||
!!! Note
|
||||
We strongly recommend to also set `jwt_secret_key` to something random and known only to yourself to avoid unauthorized access to your bot.
|
||||
|
Loading…
Reference in New Issue
Block a user