Blog

Strapi CMS: CORS plugin settings, media uploads, and same-origin policies for the admin panel

The admin UI and public API often share a domain in production; dev environments need explicit localhost origins.

Published: 2027-02-18Updated: 2027-02-201 min read

strapicmscors

Plugins

Third-party plugins may add routes without inheriting global CORS—audit each extension.

GraphQL plugin exposes a separate endpoint; duplicate Allow-Headers for Apollo clients.

When assets move to S3 or CloudFront, update CORS on the bucket for direct browser fetches.

Signed URLs reduce need for broad wildcard origins on the API.