XF 2.1 Enable CORS for the built-in API


Good day, I'm trying to develop an app that is going to fetch data from my forum using the built-in API, I'm developing this app in my local environment using Angular but when trying to request data from the API I get the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error.

I wonder if there is an option or what can I do to enable CORS for this API? I need this because I'm going to use the app on some different websites.

Thanks in advance.


XenForo developer
Staff member
This isn't something that the API exposes at this time. It doesn't have any handling for the OPTIONS method, for example. It's something you would need to implement, perhaps at the web server level or via a middleware/proxy for the API.

Note that the API currently isn't really designed with this particular use case in mind, unless you've added additional things on top of it. This would expose API keys to the client directly and these aren't time limited, so they could be easily taken and used in a different scenario by an attacker. (I assume you're not using a super user key with this, as that would allow accessing data as any user.)