New base URL setup


I’m trying to understand the new base URL setup in v3.6.3:
If I add to the url allow list in my's config,
will it automatically send a “Access-Control-Allow-Origin:” header when I make a fetch request from to a route of
or would I still have to set the header in the response by myself?

The URL allow list can only be set in the main config. It is meant as a security feature to tell Kirby which base URLs are accepted. It makes sure that an attacking request cannot trick Kirby into generating different URLs for assets for example. It’s not needed in most server environments, but adds an additional layer of security in reverse proxy setups for example.

It does not have anything to do with access control headers though. You still have to set them manually.

1 Like

Thanks for the explanation, Bastian!
I understand the purpose of this feature now =)