Configure CORS and Cookie Domain (Verified)
This guide explains how CORS allow‑lists and cookie domains work in the EmpowerNow stack for SPAs using the BFF.
What’s implemented (verified)
- CORS: The BFF parses an allow‑list for origins. See canonical settings:
../reference/settings-reference.md#cors(CORS__ALLOW_ORIGINS,CORS__DEV_ORIGINS,CORS__ALLOW_METHODS,CORS__ALLOW_HEADERS,CORS__ALLOW_CREDENTIALS). - Cookies: The session cookie name is
bff_session(see security docs). Domain/scope are set by the BFF response and enforced by the browser; see canonical settings:../reference/settings-reference.md#session-and-cookies(BFF_COOKIE_DOMAIN,SESSION_LIFETIME).
Same‑origin SPA vs cross‑origin dev
Steps
-
Dev (cross‑origin)
- Set
CORS__ALLOW_ORIGINSto include your dev server (e.g.,http://localhost:5173). See../reference/settings-reference.md#env-CORS__ALLOW_ORIGINS. - For streaming endpoints, set
ALLOWED_STREAM_ORIGINSif you use SSE from a different origin. - Verify preflights succeed; unauthenticated calls should return JSON with CORS headers.
- Set
-
Prod (same‑origin)
- Serve the SPA and BFF under the same host (e.g.,
automate.ocg.labs...routes/api/**to BFF). - The browser sends cookies automatically; no CORS preflight is triggered for
/api/**.
- Serve the SPA and BFF under the same host (e.g.,
-
Cookie domain
- Use a shared parent domain at the ingress (Traefik) so the BFF sets the cookie for
.ocg.labs.empowernow.ai. See../reference/settings-reference.md#env-BFF_COOKIE_DOMAIN. - Ensure
SecureandSameSite=Laxare set; do not expose tokens to the browser.
- Use a shared parent domain at the ingress (Traefik) so the BFF sets the cookie for
Validate
- DevTools → Application → Cookies:
bff_sessionpresent for your domain. - Response headers on unauthenticated API call contain
Access-Control-Allow-Originwith your dev origin.