Open source platform for stress free deployments, measured impact, and smarter decisions.

GrowthBook Users

Hey guys I have a question about self hosting. The current requirement to have separate ports is a bit confusing to me. Is it not possible to host both over 443? I currently have the front end on 443 and the backend over 80 but this is throwing a lot of security concerns.

Hi Josh, you can certainly serve both at port 443 to support SSL I'm assuming. Do you have a domain that you're using? I would recommend setting a subdomain for the API server

Oh ok, i did have them setup this way with separate subdomains, but it was causing cors errors when attempting to log in

I had it as:
• Front-End: <https://growthbook.domain.com>
• Back-End: <https://gbapi.domain.com>

You might need to set the `APP_ORIGIN` env var in your backend. This is used to automatically generate the correct CORS config

In your case it would be set to `<https://growthbook.domain.com>`

You shouldn't be seeing CORS errors if that's the case

<https://github.com/growthbook/growthbook/blob/ab4bac70e80a193237d31d47f7a0bfb71838a20e/packages/back-end/src/app.ts#L230-L240>

Yeah i was investigating this code too and I even set the:
```{
   name  = "CORS_ORIGIN_REGEX"
   value = ".*"
},```
just in case

Going to reproduce my issue really quick to show you what im getting

Error:
```Access to fetch at '<https://gbapi.rtg-shared.com/auth/login>' from origin '<https://growthbook.rtg-shared.com>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.```

image.png

I can see it has the wildcard in the allow origin response header but it almost look like the request fails before preflight occurs

The error is saying it cannot be wildcard

It's okay! Give it a shot without the wildcard and let me know how it goes