---
title: "View source for System Settings/Cors Ssl - DreamFactory Wiki"
source: "http://wiki.dreamfactory.com/index.php?action=edit&title=System_Settings%2FCors_Ssl"
canonical_url: "http://wiki.dreamfactory.com/index.php?action=edit&title=System_Settings%2FCors_Ssl"
converted_at: "2026-04-17T10:41:56.157Z"
format: "markdown"
converted_by: "html-to-md-ai"
---
[]()
	
	
	
	# View source for System Settings/Cors Ssl

	
		
		← [System Settings/Cors Ssl](/System_Settings/Cors_Ssl)
		
		
		
		[Jump to navigation](#mw-head)
		[Jump to search](#searchInput)
		You do not have permission to edit this page, for the following reason:

The action you have requested is limited to users in the group: [Users](/index.php?title=DreamFactory_Wiki:Users&action=edit&redlink=1).

---

You can view and copy the source of this page.

{{#seo:
|title=Cors Ssl - DreamFactory Documentation
|title_mode=replace
|canonical=https://wiki.dreamfactory.com/System_Settings/Cors_Ssl
|og:title=Cors Ssl
|og:type=article
|og:site_name=DreamFactory Documentation
}}

<span id="cors-and-ssl"></span>
= CORS and SSL =

This chapter covers two critical security aspects of your DreamFactory environment: Cross-Origin Resource Sharing (CORS) configuration and securing your web traffic with SSL certificates using Certbot.

<span id="cors-security"></span>
== CORS Security ==

CORS (Cross-Origin Resource Sharing) is a mechanism that allows a client to interact with an API endpoint which hails from a different domain, subdomain, port, or protocol. DreamFactory is configured by default to disallow all outside requests, so before you can integrate a third-party client such as a web or mobile application, you'll need to enable CORS.

<span id="configuring-cors-in-dreamfactory"></span>
=== Configuring CORS in DreamFactory ===

To modify your CORS settings, log in to your DreamFactory instance using an administrator account and select the System Settings tab. Next navigate to <code>Config > CORS</code>, and then click the purple plus button to establish a new connection:

[[File:cors-config-creation.png|thumb|cors config creation]]
From there, you'll then be presented with the following screen:

[[File:cors-setting-config.png|thumb|cors setting config]]
The CORS configuration screen provides several fields to customize your CORS settings:

{| class="wikitable"
|-
! Field
! Description
|-
| Path
| The <code>Path</code> field defines the path associated with the API you're exposing via this CORS entry. For instance if you've created a Twitter API and would like to expose it, the path might be <code>/api/v2/twitter</code>. If you want to expose all APIs, use <code>*</code>.
|-
| Origins
| The <code>Origins</code> field identifies the network address making the request. If you'd like to allow more than one origin (e.g. www.example.com and www2.example.com), separate each by a comma (<code>www.example.com,ww2.example.com</code>). If you'd like to allow access from anywhere, supply an asterisk <code>*</code>.
|-
| Description
| The <code>Description</code> field serves as a descriptive reference explaining the purpose of this CORS entry.
|-
| Headers
| The <code>Headers</code> field determines what headers can be used in the request. Several headers are whitelisted by default, including <code>Accept</code>, <code>Accept-Language</code>, <code>Content-Language</code>, and <code>Content-Type</code>. When set, DreamFactory will send as part of the preflight request the list of declared headers using the <code>Access-Control-Allow-Headers</code> header.
|-
| Exposed Headers
| The <code>Exposed Headers</code> field determines which headers are exposed to the client.
|-
| Max Age
| The <code>Max Age</code> field determines how long the results of a preflight request (the information found in the <code>Access-Control-Allow-Methods</code> and <code>Access-Control-Allow-Headers</code> headers) can be cached. This field's value is passed along to the client using the <code>Access-Control-Max-Age</code> field.
|-
| Methods
| The <code>Methods</code> field determines which HTTP methods can be used in conjunction with this CORS definition. The selected values will be passed along to the client using the <code>Access-Control-Allow-Methods</code> field.
|-
| Supports Credentials
| The <code>Supports Credentials</code> field determines whether this CORS configuration can be used in conjunction with user authentication. When enabled, the <code>Access-Control-Allow-Credentials</code> header will be passed and set to <code>true</code>.
|-
| Enabled
| To enable the CORS configuration, make sure this field is enabled.
|}

Always make sure your <code>CORS</code> settings are only set for the appropriate "scheme/host/port tuple" to ensure you are observing the maximum security you can by only allowing cross origin resources access when there is no other way around it.
<span id="securing-your-web-traffic-with-ssl-using-certbot"></span>
== Securing Your Web Traffic with SSL Using Certbot ==

From a networking standpoint DreamFactory is a typical web application, meaning you can easily encrypt all web traffic between the platform and client using an SSL certificate. Unless you've already taken steps to add an SSL certificate to your web server, by default your DreamFactory instance will run on port 80, which means all traffic between your DreamFactory server and client will be unencrypted and therefore subject to capture and review.

Certbot is an open-source utility that simplifies the process of obtaining and renewing SSL certificates from Let's Encrypt. It works directly with the free Let's Encrypt certificate authority to request certificates, prove ownership of your domain, and install the certificate on your web server.

<span id="prerequisites"></span>
=== Prerequisites ===

<Tabs groupId="os-tabs"> <TabItem value="ubuntu-debian" label="Ubuntu & Debian"> Before installing Certbot, ensure you have:

# A server running Ubuntu or Debian
# A registered domain name with DNS records pointing to your server's IP address
# Nginx or Apache web server installed and configured for your domain (DreamFactory installation typically handles this automatically) </TabItem> <TabItem value="rhel-centos-fedora" label="RHEL-CentOS & Fedora"> Before installing Certbot, ensure you have:
# A server running Red Hat Enterprise Linux, CentOS, or Fedora
# A registered domain name with DNS records pointing to your server's IP address
# Nginx or Apache web server installed and configured for your domain (DreamFactory installation typically handles this automatically) </TabItem> </Tabs>

<span id="configuring-firewall-rules"></span>
=== Configuring Firewall Rules ===

<Tabs groupId="os-tabs"> <TabItem value="ubuntu-debian" label="Ubuntu & Debian"> You can skip this section if you are using a different firewall, have already configured your firewall rules, or do not wish to use any firewall.

'''1. If UFW is not installed, install it now using apt or apt-get.'''

<syntaxhighlight lang="bash">sudo apt update
sudo apt install ufw</syntaxhighlight>
'''2. Add firewall rules to allow ssh (port 22) connections as well as http (port 80) and https (port 443) traffic.'''

<syntaxhighlight lang="bash">sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https</syntaxhighlight>
Your server may require additional rules depending on which applications you're running (such as mail servers or database servers) and if those applications need to be accessible from other systems.

'''3. Enable UFW if its not already enabled.'''

<syntaxhighlight lang="bash">sudo ufw enable</syntaxhighlight>
'''4. Verify that UFW is enabled and properly configured for ssh and web traffic.'''

<syntaxhighlight lang="bash">sudo ufw status</syntaxhighlight>
This should return a status of active and output the firewall rules that you just added. </TabItem> <TabItem value="rhel-centos-fedora" label="RHEL-CentOS & Fedora"> You can skip this section if you are using a different firewall, have already configured your firewall rules, or do not wish to use any firewall.

'''1. If Firewalld is not installed, install it now using <code>dnf</code>.'''

<syntaxhighlight lang="bash">sudo dnf install firewalld</syntaxhighlight>
'''2. Start firewalld and enable it to automatically start on boot.'''

<syntaxhighlight lang="bash">sudo systemctl start firewalld
sudo systemctl enable firewalld</syntaxhighlight>
'''3. Add firewall rules to allow ssh (port 22) connections as well as http (port 80) and https (port 443) traffic.'''

<syntaxhighlight lang="bash">sudo firewall-cmd --zone=public --permanent --add-service=ssh
sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https</syntaxhighlight>
If any of these services are already enabled, you may get a warning notice that you can safely ignore. Your server may require additional rules depending on which applications you're running (such as mail servers or database servers).

'''4. Reload firewalld to make these rules take effect.'''

<syntaxhighlight lang="bash">sudo firewall-cmd --reload</syntaxhighlight>
'''5. Verify that the firewall rules have been properly configured.'''

<syntaxhighlight lang="bash">sudo firewall-cmd --zone=public --permanent --list-services</syntaxhighlight>
</TabItem> </Tabs>

<span id="installing-certbot"></span>
=== Installing Certbot ===

<Tabs groupId="os-tabs"> <TabItem value="ubuntu-debian" label="Ubuntu & Debian"> [https://snapcraft.io/about Snap] is a package manager developed by Canonical (creators of Ubuntu). Software is packaged as a snap (self-contained application and dependencies) and the snapd tool is used to manage these packages. Since certbot is packaged as a snap, we'll need to install snapd before installing certbot.

'''1. If snapd is not installed, install it now.'''

<syntaxhighlight lang="bash">sudo apt update
sudo apt install snapd</syntaxhighlight>
'''2. Install the core snap.'''

<syntaxhighlight lang="bash">sudo snap install core
sudo snap refresh core</syntaxhighlight>
'''3. Remove any previously installed certbot packages to avoid conflicts with the new Snap package.'''

<syntaxhighlight lang="bash">sudo apt remove certbot</syntaxhighlight>
'''4. Use Snap to install Certbot.'''

<syntaxhighlight lang="bash">sudo snap install --classic certbot</syntaxhighlight>
'''5. Configure a symbolic link to the Certbot directory using the <code>ln</code> command.'''

<syntaxhighlight lang="bash">sudo ln -s /snap/bin/certbot /usr/bin/certbot</syntaxhighlight>
</TabItem> <TabItem value="rhel-centos-fedora" label="RHEL-CentOS & Fedora"> [https://snapcraft.io/about Snap] is a package manager developed by Canonical (creators of Ubuntu). Software is packaged as a snap (self-contained application and dependencies) and the snapd tool is used to manage these packages. Since certbot is packaged as a snap, we'll need to install snapd before installing certbot.

'''1. Add the EPEL repository.'''

<syntaxhighlight lang="bash">sudo dnf install epel-release
sudo dnf upgrade</syntaxhighlight>
'''2. If snapd is not installed, install it now.'''

<syntaxhighlight lang="bash">sudo dnf install snapd</syntaxhighlight>
'''3. Enable the main snap communication socket.'''

<syntaxhighlight lang="bash">sudo systemctl enable --now snapd.socket</syntaxhighlight>
'''4. Configure a symbolic link'''

<syntaxhighlight lang="bash">sudo ln -s /var/lib/snapd/snap /snap</syntaxhighlight>
To use the <code>snap</code> command, log out of the session and log back in.
'''5. Remove any previously installed certbot packages to avoid conflicts with the new Snap package.'''

<syntaxhighlight lang="bash">sudo dnf remove certbot</syntaxhighlight>
'''6. Use Snap to install Certbot.'''

<syntaxhighlight lang="bash">sudo snap install --classic certbot</syntaxhighlight>
'''7. Configure a symbolic link to the Certbot directory using the <code>ln</code> command.'''

<syntaxhighlight lang="bash">sudo ln -s /snap/bin/certbot /usr/bin/certbot</syntaxhighlight>
</TabItem> </Tabs>

<span id="requesting-a-tlsssl-certificate-using-certbot"></span>
=== Requesting a TLS/SSL Certificate Using Certbot ===

<Tabs groupId="os-tabs"> <TabItem value="ubuntu-debian" label="Ubuntu & Debian"> During the certificate granting process, Certbot asks a series of questions about the domain so it can properly request the certificate. You must agree to the terms of service and provide a valid administrative email address.

'''1. Run Certbot to start the certificate request.''' When Certbot runs, it requests and installs certificate file along with a private key file. When used with the web server plugin, Certbot also automatically edits the configuration files for your web server, which dramatically simplifies configuring HTTPS.

:::info[Certbot command by Webserver] <Tabs groupId="webserver-tabs"> <TabItem value="nginx" label="Nginx">

'''Request a certificate and automatically configure it (recommended)'''

<syntaxhighlight lang="bash">sudo certbot --nginx</syntaxhighlight>
'''Request a certificate without configuring your web server:'''

<syntaxhighlight lang="bash">sudo certbot certonly --nginx</syntaxhighlight>
</TabItem> <TabItem value="apache" label="Apache">

'''Request a certificate and automatically configure it (recommended)'''

<syntaxhighlight lang="bash">sudo certbot --apache</syntaxhighlight>
'''Request a certificate without configuring your web server:'''

<syntaxhighlight lang="bash">sudo certbot certonly --apache</syntaxhighlight>
</TabItem> </Tabs> :::

To request the certificate without relying on your web server installation, you can instead use the [https://eff-certbot.readthedocs.io/en/latest/using.html#standalone standalone plugin] (–standalone).

'''2. Follow the prompts to complete the certificate request:''' - Enter an email address for urgent notices - Accept the terms of service - Optionally subscribe to the mailing list - Enter domain name(s) for the certificate (e.g., <code>example.com, www.example.com</code>)

If the operation is successful, Certbot confirms the certificates are enabled and displays information about the certificate locations and expiration date. </TabItem> <TabItem value="rhel-centos-fedora" label="RHEL-CentOS & Fedora"> During the certificate granting process, Certbot asks a series of questions about the domain so it can properly request the certificate. You must agree to the terms of service and provide a valid administrative email address.

'''1. Run Certbot to start the certificate request.''' When Certbot runs, it requests and installs certificate file along with a private key file. When used with the web server plugin, Certbot also automatically edits the configuration files for your web server, which dramatically simplifies configuring HTTPS.

:::info[Certbot command by Webserver] <Tabs groupId="webserver-tabs"> <TabItem value="nginx" label="Nginx">

'''Request a certificate and automatically configure it (recommended)'''

<syntaxhighlight lang="bash">sudo certbot --nginx</syntaxhighlight>
'''Request a certificate without configuring your web server:'''

<syntaxhighlight lang="bash">sudo certbot certonly --nginx</syntaxhighlight>
</TabItem> <TabItem value="apache" label="Apache">

'''Request a certificate and automatically configure it (recommended)'''

<syntaxhighlight lang="bash">sudo certbot --apache</syntaxhighlight>
'''Request a certificate without configuring your web server:'''

<syntaxhighlight lang="bash">sudo certbot certonly --apache</syntaxhighlight>
</TabItem> </Tabs> ::: To request the certificate without relying on your web server installation, you can instead use the [https://eff-certbot.readthedocs.io/en/latest/using.html#standalone standalone plugin] (–standalone).

'''2. Follow the prompts to complete the certificate request:''' - Enter an email address for urgent notices - Accept the terms of service - Optionally subscribe to the mailing list - Enter domain name(s) for the certificate (e.g., <code>example.com, www.example.com</code>)

If the operation is successful, Certbot confirms the certificates are enabled and displays information about the certificate locations and expiration date. </TabItem> </Tabs>

<span id="automating-certificate-renewal"></span>
=== Automating Certificate Renewal ===

<Tabs groupId="os-tabs"> <TabItem value="ubuntu-debian" label="Ubuntu & Debian"> Let's Encrypt certificates are valid for 90 days. Certbot automatically sets up a renewal process, but you can test it with:

<syntaxhighlight lang="bash">sudo certbot renew --dry-run</syntaxhighlight>
To manually renew all certificates:

<syntaxhighlight lang="bash">sudo certbot renew</syntaxhighlight>
Certbot does not renew certificates unless they are scheduled to expire soon. Avoid using the <code>--force-renewal</code> flag as it could exceed Let's Encrypt's rate limits.
</TabItem> <TabItem value="rhel-centos-fedora" label="RHEL-CentOS & Fedora"> Let's Encrypt certificates are valid for 90 days. Certbot automatically sets up a renewal process, but you can test it with:

<syntaxhighlight lang="bash">sudo certbot renew --dry-run</syntaxhighlight>
To manually renew all certificates:

<syntaxhighlight lang="bash">sudo certbot renew</syntaxhighlight>
Certbot does not renew certificates unless they are scheduled to expire soon. Avoid using the <code>--force-renewal</code> flag as it could exceed Let's Encrypt's rate limits.
</TabItem> </Tabs>

<span id="troubleshooting-ssl-issues"></span>
=== Troubleshooting SSL Issues ===

If you encounter issues with your SSL certificate:

# Check that your domain's DNS records are correctly pointing to your server
# Ensure your firewall allows traffic on ports 80 and 443
# Verify that NGINX is properly configured to use the certificate
# Check Certbot's logs at <code>/var/log/letsencrypt/</code>

[[Category:CORS]]
Return to [System Settings/Cors Ssl](/System_Settings/Cors_Ssl).

Retrieved from "[https://wiki.dreamfactory.com/System_Settings/Cors_Ssl](https://wiki.dreamfactory.com/System_Settings/Cors_Ssl)"