From 59af91cb22cc68947a01aa439e6d8c3448f6f608 Mon Sep 17 00:00:00 2001 From: Catalin Iliescu Date: Mon, 15 Jun 2026 09:06:27 +0300 Subject: [PATCH] docs: clarify ALLOWED_ORIGINS for proxied deployments Document ALLOWED_ORIGINS as exact cross-origin client origins and clarify that same-origin reverse-proxy access usually needs no CORS entry. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 79e8d9699..08f2305e2 100644 --- a/README.md +++ b/README.md @@ -368,6 +368,7 @@ Odysseus serves plain HTTP on its app port. Docker Compose binds Odysseus and th 4. Keep raw service and model ports internal-only. Cloudflare Access, Tailscale, Caddy, nginx, and Traefik can all fit this pattern; none are required by Odysseus. If your access layer reaches Odysseus on the same host, proxy to `http://127.0.0.1:7000` and keep `AUTH_ENABLED=true`, `LOCALHOST_BYPASS=false`, and `SECURE_COOKIES=true`. +`ALLOWED_ORIGINS` lists exact permitted origins for cross-origin browser/API clients; ordinary same-origin reverse-proxy access usually does not need a special CORS entry. Common internal-only ports from the default docs/compose setup: @@ -401,6 +402,7 @@ Key settings: | `APP_PORT` | `7000` | Docker Compose host port for the web UI. | | `AUTH_ENABLED` | `true` | Enable/disable login | | `LOCALHOST_BYPASS` | `false` | Development-only auth bypass for loopback requests. Keep false for shared/network deployments. | +| `ALLOWED_ORIGINS` | `http://localhost,http://127.0.0.1` | Comma-separated exact permitted origins for cross-origin browser/API clients. | | `SECURE_COOKIES` | `false` | Set true when serving Odysseus through HTTPS at a trusted proxy or private access gateway. | | `DATABASE_URL` | `sqlite:///./data/app.db` | Database connection string | | `CHROMADB_HOST` | `localhost` | ChromaDB host for vector memory. Docker overrides this to `chromadb`. |