Manage CORS configuration via environment variables using django-cors-headers

.env.example

@@ -526,6 +526,14 @@ WEBDAV_SERVER_NAMES="172.17.0.1,webdav"
 # DEFAULT: 5433
 HOST_POSTGRES_PORT=5433
 
+# Comma-separated list of origins allowed to make cross-origin requests to the API.
+# Do NOT include trailing slashes. Example: https://app.example.com,http://localhost:5173
+CORS_ALLOWED_ORIGINS=https://docs.qfield.org
+
+# Allow credentials (cookies, authorization headers) in cross-origin requests.
+# Set to 1 if your clients send authentication tokens or session cookies.
+CORS_ALLOW_CREDENTIALS=1
+
 
 ##################
 # Debug settings - development only

docker-app/qfieldcloud/settings.py

@@ -137,12 +137,14 @@
     "django_extensions",
     "bootstrap4",
     "sri",
+    "corsheaders",
     # To ensure that exceptions inside other apps' signal handlers do not affect the integrity of file deletions within transactions, `django_cleanup` should be placed last in `INSTALLED_APPS`. See https://github.com/un1t/django-cleanup#configuration
     "django_cleanup.apps.CleanupConfig",
 ]
 
 MIDDLEWARE = [
     "debug_toolbar.middleware.DebugToolbarMiddleware",
+    "corsheaders.middleware.CorsMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.locale.LocaleMiddleware",
@@ -586,6 +588,7 @@ def before_send(event, hint):
     },
 }
 
+###########################
 # Django axes configuration
 # https://django-axes.readthedocs.io/en/latest/4_configuration.html
 ###########################
@@ -970,3 +973,30 @@ def before_send(event, hint):
 #     "logo_alt": "Your logo description",
 #     "favicon": "path/to/favicon.ico",
 # }
+
+
+###########################
+# CORS settings
+# Managed via django-cors-headers.
+# Origins and credentials are configured through environment variables,
+# so no nginx changes are needed when adding new clients.
+# https://github.com/adamchainz/django-cors-headers
+###########################
+
+# Comma-separated list of origins that are allowed to make cross-origin
+# requests. Do not include trailing slashes.
+# Example: CORS_ALLOWED_ORIGINS=https://app.example.com,http://localhost:5173
+CORS_ALLOWED_ORIGINS = [
+    origin.strip()
+    for origin in os.environ.get("CORS_ALLOWED_ORIGINS", "").split(",")
+    if origin.strip()
+]
+
+# Only allow CORS on API endpoints – static files and pages are unaffected.
+CORS_URLS_REGEX = r"^/api/.*$"
+
+# Whether to include credentials (cookies, authorization headers) in
+# cross-origin requests. Required when clients send auth tokens.
+CORS_ALLOW_CREDENTIALS = bool(
+    int(os.environ.get("CORS_ALLOW_CREDENTIALS", 0))
+)

docker-app/requirements/requirements.in

@@ -7,6 +7,7 @@ django-axes==8.0.0
 django-bootstrap4==25.2
 django-classy-tags==4.1.0
 django-cleanup==9.0.0
+django-cors-headers==4.9.0
 django-common-helpers==0.9.2
 django-constance==4.3.2
 django-countries==8.2.0

docker-app/requirements/requirements.txt

@@ -1,14 +1,15 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
-#    pip-compile --no-strip-extras --output-file=/requirements/requirements.txt /requirements/requirements.in
+#    pip-compile requirements/requirements.in
 #
 asgiref==3.9.1
     # via
     #   django
     #   django-allauth
     #   django-axes
+    #   django-cors-headers
     #   django-countries
 attrs==25.3.0
     # via
@@ -17,9 +18,9 @@ attrs==25.3.0
 beautifulsoup4==4.13.5
     # via django-bootstrap4
 boto3==1.35.90
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 boto3-stubs==1.35.90
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 botocore==1.35.99
     # via
     #   boto3
@@ -39,16 +40,17 @@ cryptography==45.0.6
     #   django-fernet-encrypted-fields
     #   pyjwt
 deprecated==1.3.1
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django==4.2.28
     # via
-    #   -r /requirements/requirements.in
+    #   -r requirements/requirements.in
     #   django-allauth
     #   django-auditlog
     #   django-axes
     #   django-bootstrap4
     #   django-classy-tags
     #   django-common-helpers
+    #   django-cors-headers
     #   django-cron
     #   django-currentuser
     #   django-debug-toolbar
@@ -72,77 +74,79 @@ django==4.2.28
     #   drf-spectacular
     #   jsonfield
 django-allauth[socialaccount]==65.13.1
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-auditlog==3.4.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-axes==8.0.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-bootstrap4==25.2
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-classy-tags==4.1.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-cleanup==9.0.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-common-helpers==0.9.2
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-constance==4.3.2
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
+django-cors-headers==4.9.0
+    # via -r requirements/requirements.in
 django-countries==8.2.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-cron==0.6.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-currentuser==0.9.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-debug-toolbar==6.0.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-extensions==4.1
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-fernet-encrypted-fields==0.3.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-filter==25.1
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-invitations==2.1.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-jazzmin==3.0.1
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-log-request-id==2.1.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-migrate-sql-3==3.0.2
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-model-utils==5.0.0
     # via
-    #   -r /requirements/requirements.in
+    #   -r requirements/requirements.in
     #   django-notifications-hq
 django-nonrelated-inlines==0.2
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-notifications-hq==1.8.3
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-phonenumber-field==8.3.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-sri==0.8.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-storages==1.14.6
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-stubs==5.2.7
     # via
-    #   -r /requirements/requirements.in
+    #   -r requirements/requirements.in
     #   djangorestframework-stubs
 django-stubs-ext==5.2.7
     # via
-    #   -r /requirements/requirements.in
+    #   -r requirements/requirements.in
     #   django-stubs
 django-tables2==2.8.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 django-timezone-field==7.1
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 djangorestframework==3.16.1
     # via
-    #   -r /requirements/requirements.in
+    #   -r requirements/requirements.in
     #   drf-spectacular
 djangorestframework-stubs==3.16.4
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 drf-spectacular==0.29.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 idna==3.10
     # via requests
 inflection==0.5.1
@@ -152,29 +156,29 @@ jmespath==1.0.1
     #   boto3
     #   botocore
 json-log-formatter==1.1.1
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 jsonfield==3.2.0
     # via django-notifications-hq
 jsonschema==4.25.1
     # via drf-spectacular
 jsonschema-specifications==2025.4.1
     # via jsonschema
 mypy-boto3-s3==1.35.81
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 oauthlib==3.3.1
     # via django-allauth
 phonenumbers==9.0.15
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 pillow==11.3.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 psycopg2==2.9.11
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 pycparser==2.22
     # via cffi
 pyjwt[crypto]==2.10.1
     # via django-allauth
 pymemcache==4.0.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 python-dateutil==2.9.0.post0
     # via
     #   botocore
@@ -199,7 +203,7 @@ rpds-py==0.27.0
 s3transfer==0.10.4
     # via boto3
 sentry-sdk==2.47.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 six==1.17.0
     # via python-dateutil
 soupsieve==2.7
@@ -209,11 +213,9 @@ sqlparse==0.5.3
     #   django
     #   django-debug-toolbar
 stripe==4.2.0
-    # via -r /requirements/requirements.in
+    # via -r requirements/requirements.in
 swapper==1.4.0
     # via django-notifications-hq
-tomli==2.2.1
-    # via django-stubs
 types-awscrt==0.27.6
     # via botocore-stubs
 types-pyyaml==6.0.12.20250822
@@ -226,7 +228,6 @@ types-s3transfer==0.13.0
     # via boto3-stubs
 typing-extensions==4.14.1
     # via
-    #   asgiref
     #   beautifulsoup4
     #   boto3-stubs
     #   django-countries

docker-compose.yml

@@ -62,6 +62,8 @@ services:
       EMAIL_HOST_USER: ${EMAIL_HOST_USER}
       EMAIL_HOST_PASSWORD: ${EMAIL_HOST_PASSWORD}
       DEFAULT_FROM_EMAIL: ${DEFAULT_FROM_EMAIL}
+      CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS}
+      CORS_ALLOW_CREDENTIALS: ${CORS_ALLOW_CREDENTIALS}
       # Settings below are specific to worker_wrapper
       # TODO : move this to the worker_wrapper service and keep things DRY (yaml syntax expert needed)
       TMP_DIRECTORY: ${TMP_DIRECTORY}

docker-nginx/templates/default.conf.template

@@ -150,7 +150,6 @@ server {
   }
 
   location /swagger.yaml {
-    add_header Access-Control-Allow-Origin https://docs.qfield.org;
     proxy_pass http://django;
   }