Ever wondered how to stop other websites using your public assets? This article will cover how you can configure Directus to restrict access to your assets.
To restrict public access to your public assets, use the CORS origin configuration to add comma separated list of allowed domains.
For those unfamiliar with CORS, Cross-Origin Resource Sharing is a HTTP header that can "white-list" domains that are allowed to share resources.
To acheive this, we must add some parameters to the configuration file of you project. The Directus configuration is located within the .env file in the root of your project installation directory. This is usually accessed via SSH for linux or the operating system for MacOS and Windows.
Open the .env file using your preferred text editor.
First, we need to make sure CORS is enabled. Check if CORS_ENABLED exists and if not add it on a new line. Then set it to true:
Next, add CORS_ORIGIN underneath and list the domains on the same line separated by a comma.
Save and close the file then restart the Directus service.
With CORS in place, we are now blocking all external attempts on Directus. Furthermore, we have included a comma separated list of domains that are allowed past the CORS policy. Directus is now more secure.