Skip to content

CORS Configuration

Kiket uses dynamic CORS — allowed origins are read from ProductApplication.allowed_origins, not a static config file.

How It Works

  1. Browser sends request with Origin header
  2. rack-cors middleware checks if the origin exists in any active ProductApplication's allowed_origins array
  3. If matched, CORS headers are set (Access-Control-Allow-Origin, etc.)
  4. The ProductIdentificationMiddleware also sets Current.product_application from the same Origin

Origins are cached for 5 minutes and automatically invalidated when a ProductApplication is saved or deleted.

Configuring Origins

Add origins when registering your product (via the admin panel or during setup). Include the protocol (https://). Each product can have multiple origins.

Example origins: 

https://spravce-gdpr.cz
http://localhost:3001

Development

In development and test environments, all origins are allowed — no configuration needed.

Debugging

If your frontend gets CORS errors:

  1. Check the Origin header in browser DevTools (Network tab → request headers)
  2. Verify the exact origin (including port) is in your product's allowed_origins
  3. Check the product is active (not inactive)
  4. Origins are cached for 5 minutes — changes take effect within that window

Exposed Headers

These headers are exposed to the browser via CORS:

  • X-Request-Id
  • X-RateLimit-Limit
  • X-RateLimit-Remaining
  • X-RateLimit-Reset