Sanity Pioneers: Get early access to betas, extra AI credits, and a direct line to the engineering team. Apply now

Cannot add wildcard domain to Sanity CORS settings

2 repliesLast updated: Nov 29, 2025
Hi, I’m having issues adding a domain with a wildcard to the CORS settings of my Sanity project as described in the docs : (also https://*.netlify.app is not accepted)
AI Update

I understand your frustration with CORS wildcard settings! Unfortunately, Sanity does not support wildcard subdomains in CORS origins, which is why https://*.netlify.app isn't accepted. This is a security limitation by design.

According to the CORS documentation, you need to add each specific domain individually. So instead of using a wildcard, you'll need to add each Netlify deployment URL separately, like:

  • https://your-site-name.netlify.app
  • https://staging-branch--your-site-name.netlify.app
  • https://preview-branch--your-site-name.netlify.app

Why No Wildcards?

While the CORS specification technically allows wildcards, Sanity doesn't support them when credentials are involved. Since most Sanity client configurations use authentication tokens (which require the "Allow credentials" option), wildcards would create a security risk by potentially exposing your authenticated API access to unintended subdomains on public suffix domains like .netlify.app.

Workarounds for Netlify Preview Deployments

If you're dealing with multiple Netlify preview deployments (which generate unique URLs for each branch/PR), here are some approaches:

  1. Use public datasets for previews: If your content doesn't require authentication, you can configure your preview deployments to use the public API without credentials, which doesn't require CORS configuration at all.

  2. Add domains as needed: For production and key staging environments, manually add each specific domain through the Sanity Management Dashboard under Settings > API > CORS Origins.

  3. Use a reverse proxy: Some teams set up a backend proxy that makes the Sanity API calls server-side, avoiding CORS entirely for preview environments.

  4. Netlify Functions: Make Sanity API calls from Netlify Functions (serverless functions) instead of the browser, which bypasses CORS restrictions since server-to-server calls don't involve CORS.

The domain-by-domain approach is the intended security model, even though it's less convenient for dynamic preview URLs on platforms like Netlify. This restriction helps protect your content from unauthorized access across wildcard subdomains on public suffix domains.

Show original thread
2 replies

Was this answer helpful?

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Related answers

Get more help in the community Discord

Related contributions

Auto-generate alt text for Media Library assets

FeaturedOfficial

Automatically generate accessible, multilingual alt text for images in your Sanity Media Library using Agent Actions and Sanity Functions

Bram Doppen

Bram Doppen

First Published Timestamp Function

FeaturedOfficial

Automatically track when content was first published with a timestamp that sets once and never overwrites, providing reliable publication history for analytics and editorial workflows.

Knut Melvær

Knut Melvær

Automatically tag blog posts

FeaturedOfficial

AI-powered automatic tagging for Sanity blog posts that analyzes content to generate 3 relevant tags, maintaining consistency by reusing existing tags from your content library.

Ken Jones Pizza
Knut Melvær

Ken Jones Pizza and 1 other