Get help on Discord

How to Add Multiple Domains or Subdomains to CORS

6 replies
Last updated: Apr 9, 2021
Hey! We have a few different domains, and I wanted to add them to the CORS Origins. I'm trying to write 
https://*<http://HOSTNAME.se|HOSTNAME.se>
, but I then get CORS error. The actual address I am trying to fit in is: 
<https://canary.www.HOSTNAME.se>
. Does anyone know if this is possible or not, and if not: why..?
AI Update

I can see what's happening here! The issue is that Sanity's CORS Origins configuration doesn't support wildcard patterns for subdomains like https://*.HOSTNAME.se. You need to add each specific subdomain individually.

Based on the CORS Origins documentation, here's what you need to know:

Why wildcards don't work: Sanity requires you to explicitly whitelist each complete domain with its full protocol. This is a security best practice to prevent unauthorized access to your content.

What you need to do: For your address https://canary.www.HOSTNAME.se, you need to add the exact, complete URL to your CORS origins:

  1. Go to manage.sanity.io
  2. Select your project
  3. Navigate to Settings β†’ API β†’ CORS Origins
  4. Click "Add CORS origin"
  5. Enter the complete URL: https://canary.www.HOSTNAME.se
  6. If you're using authentication tokens with your Sanity client, make sure to check the "Allow credentials" box
  7. Save

For multiple domains: If you have several subdomains (like canary.www.HOSTNAME.se, staging.www.HOSTNAME.se, production.www.HOSTNAME.se), you'll need to add each one individually as a separate CORS origin entry. It's a bit more manual work, but it provides better security control over which domains can access your Sanity project.

Important note: The protocol matters! http:// and https:// are treated as different origins, so make sure you're adding the exact protocol you're using.

If you're still getting CORS errors after adding the exact domain, double-check that:

  • There are no typos in the URL
  • The protocol matches exactly (https vs http)
  • You've enabled "Allow credentials" if you're using authentication tokens
  • You've waited a moment for the changes to propagate (usually instant, but can take a few seconds)
https://*.<http://HOSTNAME.se|HOSTNAME.se>
should work
Yeah, I tried that too but it didn't work πŸ˜• I mean, I have both canary.www. before the hostname - could that have something to do with it?
Does the protocol you entered in CORS Origins match your site (i.e., both are https:// or http://)?
Yes! The protocol is only https, and that's what I wrote in the CORS origin entry as well.
user N
If you DM me your projectId and dataset name + an example origin I can do some debugging here.
Update: CORS wildcards only works for single subdomains, so the solution was to add 
https://*.*.<http://HOSTNAME.se|HOSTNAME.se>
(we're updating our docs to be more clear about this)

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?