The

CORS_ORIGIN_REGEX

environment variable in GrowthBook is used to help overcome Cross-Origin Resource Sharing (CORS) issues, particularly in production deployments where you may have multiple domains or subdomains accessing the GrowthBook API. Here's the significance and usage of `CORS_ORIGIN_REGEX`: 1. Purpose: It allows you to specify a regex pattern to match allowed origins for CORS, giving you more flexibility in controlling which domains can access your GrowthBook API [Forum Conversation](https://linen.growthbook.io/t/18924506/running-into-cors-issues-while-running-growthbook-in-ecs). 2. Usage in production: When deploying GrowthBook in a production environment, you can set this variable to match your domain pattern. For example, if you want to allow all subdomains, you might use:

CORS_ORIGIN_REGEX='.*'

This would allow any origin to access the API, which might be useful for testing but is not recommended for strict security [Forum Conversation](https://linen.growthbook.io/t/16334889/hey-guys-i-deploy-growthbook-on-our-platform-based-on-k). 3. Solving CORS issues: Many users have reported solving CORS problems by setting this variable, especially when using Kubernetes or other containerized deployments [Github Issue](https://github.com/growthbook/growthbook/issues/1303). 4. Complementary to other settings: While

CORS_ORIGIN_REGEX

is helpful, it's important to note that it works in conjunction with other environment variables like

APP_ORIGIN

and

API_HOST

. These should be set correctly for your deployment to ensure proper CORS handling [Self-host > Environment Variables](https://docs.growthbook.io/self-host/env). 5. Security consideration: While using

'.*'

as the value can solve CORS issues, it's generally not recommended for production use as it allows any origin. In a production environment, you should set a more specific regex pattern that matches only your trusted domains. Remember, while

CORS_ORIGIN_REGEX

can be a helpful tool in managing CORS issues, it's important to balance accessibility with security in your production deployments. Always ensure you're following best practices for CORS configuration in your specific environment.