1 min read

How to Restrict Access to Public Assets

Using the Cross-Origin Resource Sharing policy, we can restrict which domains are allowed to access our public assets.

Ever wondered how to stop other websites using your public assets? This article will cover how you can configure Directus to restrict access to your assets.

To restrict public access to your public assets, use the CORS origin configuration to add comma separated list of allowed domains.

For those unfamiliar with CORS, Cross-Origin Resource Sharing is a HTTP header that can "white-list" domains that are allowed to share resources.

To acheive this, we must add some parameters to the configuration file of you project. The Directus configuration is located within the .env file in the root of your project installation directory. This is usually accessed via SSH for linux or the operating system for MacOS and Windows.

Open the .env file using your preferred text editor.

First, we need to make sure CORS is enabled. Check if CORS_ENABLED exists and if not add it on a new line. Then set it to true:

With CORS enabled, all external queries will be blocked by default. Make sure to include domains that rely on the API as well.

Next, add CORS_ORIGIN underneath and list the domains on the same line separated by a comma.


Save and close the file then restart the Directus service.


With CORS in place, we are now blocking all external attempts on Directus. Furthermore, we have included a comma separated list of domains that are allowed past the CORS policy. Directus is now more secure.

By continuing to use our website, you consent to use essential cookies. We also use optional tracking cookies which help us gather statistics to improve our services. Do you consent to these cookies?

I Consent Do not track