Sign in Subscribe
1 min read Using Directus

How to Restrict Access to Public Assets

Using the Cross-Origin Resource Sharing policy, we can restrict which domains are allowed to access our public assets.

Ever wondered how to stop other websites using your public assets? This article will cover how you can configure Directus to restrict access to your assets.

To restrict public access to your public assets, use the CORS origin configuration to add comma separated list of allowed domains.

For those unfamiliar with CORS, Cross-Origin Resource Sharing is a HTTP header that can "white-list" domains that are allowed to share resources.

To acheive this, we must add some parameters to the configuration file of you project. The Directus configuration is located within the .env file in the root of your project installation directory. This is usually accessed via SSH for linux or the operating system for MacOS and Windows.

Open the .env file using your preferred text editor.

First, we need to make sure CORS is enabled. Check if CORS_ENABLED exists and if not add it on a new line. Then set it to true:

CORS_ENABLED=true
💡
With CORS enabled, all external queries will be blocked by default. Make sure to include domains that rely on the API as well.

Next, add CORS_ORIGIN underneath and list the domains on the same line separated by a comma.

CORS_ORIGIN="https://domain.com,https://sub.domain.com"

Save and close the file then restart the Directus service.

Conclusion

With CORS in place, we are now blocking all external attempts on Directus. Furthermore, we have included a comma separated list of domains that are allowed past the CORS policy. Directus is now more secure.

Published by:

Tim Butterfield

You might also like...

Feb
27
Image Optimization

Image Optimization in Directus

Directus can serve images on a website from the file library using the asset URL, however, if these images are too large, it will impact the performance of both your web application and Directus itself.
2 min read
Feb
24
Sign Out of Directus

How to Logout of Directus

Directus has the amazing ability to keep us logged in even when we close the browser. This saves us so much time however, what happens when we need to log out of Directus?
1 min read
Feb
06
Post to the API

How to perform an API POST Query

Create and update items in your collection using the API.
4 min read
Feb
02
Authenticate with a Token

How to use API Authentication

Every API is different when it comes to Authentication but in Directus, all you need is a Bearer token.
3 min read
Jan
30
How to create an API Authentication Token

How to create an API Authentication Token

Create a new access token in the User Directory. Here you can generate a token and assign a role.
2 min read

By continuing to use our website, you consent to use essential cookies. We also use optional tracking cookies which help us gather statistics to improve our services. Do you consent to these cookies?

I Consent Do not track