What does the CORS env variables do?

[taowang1993]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
• Please do not modify this template :) and fill in all the required fields.

Provide a description of requested docs changes

If set these variables to my own domain, does it prevent others from embedding my chatbot?
The iframe already exposes the url, people can just copy the iframe code and embed my chatbot.

<iframe
 src="http://localhost/chatbot/zpbXMm2liB3QYoxb"
 style="width: 100%; height: 100%; min-height: 700px"
 frameborder="0"
 allow="microphone">
</iframe>

CONSOLE_CORS_ALLOW_ORIGINS=my-frontend-domain
WEB_API_CORS_ALLOW_ORIGINS=my-frontend-domain

[dosubot[bot]]

The CORS environment variables in Dify are used to set cross-origin access policies. Specifically:

• CONSOLE_CORS_ALLOW_ORIGINS: This sets the CORS policy for the console. By default, it is set to *, allowing access from all domains.
• WEB_API_CORS_ALLOW_ORIGINS: This sets the CORS policy for the web application. By default, it is also set to *, allowing access from all domains.

If you set these variables to your own domain, it will restrict access to only your specified domain, thereby preventing others from embedding your chatbot. For example:

CONSOLE_CORS_ALLOW_ORIGINS=my-frontend-domain
WEB_API_CORS_ALLOW_ORIGINS=my-frontend-domain

This configuration ensures that only requests from my-frontend-domain are allowed, preventing unauthorized embedding of your chatbot ^[1][2].

To continue talking to Dosu, mention @dosu.

[taowang1993]

I already set them to my own domain.
WEB_API_CORS_ALLOW_ORIGINS=https://riverhill.ai
CONSOLE_CORS_ALLOW_ORIGINS=https://riverhill.ai
But I can still embed the chatbot on other domains.
I want to make sure the chatbot only works on my domain.

[dosubot[bot]]

To ensure that your chatbot only works on your domain, you need to set additional environment variables beyond WEB_API_CORS_ALLOW_ORIGINS and CONSOLE_CORS_ALLOW_ORIGINS. Here are the steps you should follow:

1. Set the following environment variables to your domain:

export CONSOLE_API_URL="https://riverhill.ai/api/console"
export CONSOLE_WEB_URL="https://riverhill.ai/console"
export SERVICE_API_URL="https://riverhill.ai/api/service"
export APP_API_URL="https://riverhill.ai/api/app"
export APP_WEB_URL="https://riverhill.ai/app"

2. Ensure that WEB_API_CORS_ALLOW_ORIGINS and CONSOLE_CORS_ALLOW_ORIGINS are set to your domain:

export WEB_API_CORS_ALLOW_ORIGINS="https://riverhill.ai"
export CONSOLE_CORS_ALLOW_ORIGINS="https://riverhill.ai"

3. Add a check in your chatbot's code to verify the referrer domain. For example, if you are using Dify, you can use a utility function to check if the referrer is your domain:

export const isMyDomain = () => {
  return document.referrer.includes('riverhill.ai')
}

By setting these environment variables and adding a referrer check in your code, you can ensure that your chatbot only works on your specified domain ^[1][2].

To continue talking to Dosu, mention @dosu.

[taowang1993]

My dify instance is at https://dify.riverhill.ai

The domain at which I am embedding the chatbot is https://riverhill.ai

[taowang1993]

How to configure the CORS? Currently:
WEB_API_CORS_ALLOW_ORIGINS="https://riverhill.ai"
CONSOLE_CORS_ALLOW_ORIGINS="https://dify.riverhill.ai"
I am not sure if this is correct.

I want to prevent others from embedding my chatbot.

[taowang1993]

Do I have to add "" arround the url?