Cors
CORS¶
This whole section is only necessary in cross-origin cases (where you multiple bot API's running on localhost:8081
, localhost:8082
, ...), and want to combine them into one FreqUI instance.
Technical explanation
All web-based front-ends are subject to CORS - Cross-Origin Resource Sharing.
Since most of the requests to the Freqtrade API must be authenticated, a proper CORS policy is key to avoid security problems.
Also, the standard disallows *
CORS policies for requests with credentials, so this setting must be set appropriately.
Users can allow access from different origin URL's to the bot API via the CORS_origins
configuration setting.
It consists of a list of allowed URL's that are allowed to consume resources from the bot's API.
Assuming your application is deployed as https://frequi.freqtrade.io/home/
- this would mean that the following configuration becomes necessary:
{
//...
"jwt_secret_key": "somethingrandom",
"CORS_origins": ["https://frequi.freqtrade.io"],
//...
}
In the following (pretty common) case, FreqUI is accessible on http://localhost:8080/trade
(this is what you see in your navbar when navigating to freqUI).
The correct configuration for this case is http://localhost:8080
- the main part of the URL including the port.
{
//...
"jwt_secret_key": "somethingrandom",
"CORS_origins": ["http://localhost:8080"],
//...
}
trailing Slash
The trailing slash is not allowed in the CORS_origins
configuration (e.g. "http://localhots:8080/"
).
Such a configuration will not take effect, and the cors errors will remain.
Note
We strongly recommend to also set jwt_secret_key
to something random and known only to yourself to avoid unauthorized access to your bot.