Help ! Local Source Code Start 401 (UNAUTHORIZED)

[ZoeyuYK]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:)
• Please do not modify this template :) and fill in all the required fields.

1. Is this request related to a challenge you're experiencing? Tell me about your story.

local development
Local code version :1.11.4
When connecting the frontend to the backend address, a cross-site prompt is displayed

The cookie was not set successfully, and the warning content is as follows

2. Additional context or comments

No response

[dosubot[bot]]

Your 401 error and SameSite cookie warnings in local Dify development are caused by browser security policies and configuration mismatches between frontend and backend. Modern browsers block cookies with SameSite=Lax from being set in cross-origin requests unless the response is a top-level navigation, and cookies may also be blocked if not marked as Secure when using HTTPS, or if the domain/port settings are inconsistent.

To fix this:

1. Run both frontend and backend on HTTPS (self-signed certificates are fine for local dev) to ensure cookies can be set with the Secure flag source.
2. In your /dify/api/.env, set:

   WEB_API_CORS_ALLOW_ORIGINS=http://localhost:3000,*
   CONSOLE_CORS_ALLOW_ORIGINS=http://localhost:3000,*
   CONSOLE_API_URL=http://localhost:5001
   CONSOLE_WEB_URL=http://localhost:3000
   SERVICE_API_URL=http://localhost:5001
   APP_WEB_URL=http://localhost:3000
   

   Make sure COOKIE_DOMAIN matches your local domain or is unset for localhost source.
3. In /dify/web/.env.local, set:

   NEXT_PUBLIC_API_PREFIX=http://localhost:5001/console/api
   NEXT_PUBLIC_PUBLIC_API_PREFIX=http://localhost:5001/api
   

4. Generate a strong SECRET_KEY in /dify/api/.env (e.g., openssl rand -base64 42) and restart all services after changing .env files source.
5. If you still get 401 errors or cookie warnings, launch Chrome with:

   chrome.exe --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure
   

   This disables strict SameSite enforcement for local development source.

If the problem persists, let me know your exact frontend and backend URLs (including ports) so I can help you further.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[ZoeyuYK]

In the end, the issue was resolved by setting up a proxy on the front end