t
toni.schoenbuchner@csgis.de
Currently, enabling cross-origin access to the API requires manually adding add_header directives in the nginx configuration. This makes it cumbersome for developers who want to build custom frontends or applications against the QFieldCloud API.
To simplify this, we should manage CORS directly at the Django level using environment variables instead of hardcoded nginx headers.
Proposed Changes
  • Add django-cors-headers as a dependency
  • Configure CORS middleware and settings in settings.py, driven by environment variables:
-- CORS_ALLOWED_ORIGINS=https://app.example.com,http://localhost:5173
-- CORS_ALLOW_CREDENTIALS=1
  • Restrict CORS handling to /api/ endpoints via CORS_URLS_REGEX
  • Remove hardcoded Access-Control-Allow-Origin header from nginx (e.g. /swagger.yaml)
  • Ensure https://docs.qfield.org is configured via .env instead of nginx
  • Pass CORS_ALLOWED_ORIGINS and CORS_ALLOW_CREDENTIALS through docker-compose.yml
  • Update .env.example with documentation
Expected Outcome
Developers can build their own frontends against the API by simply adding their origin to CORS_ALLOWED_ORIGINS — without modifying nginx configuration or rebuilding containers.