If you're getting an "Unauthorized origin" error in production, here are the solutions:
Add these environment variables to your production deployment:
# Add your production domain to allowed origins
ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
# Optional: Disable origin check temporarily for testing
DISABLE_ORIGIN_CHECK=trueEdit lib/security-config.ts and add your production domain:
allowedOrigins: [
'http://localhost:3000',
'http://127.0.0.1:3000',
'https://localhost:3000',
'https://127.0.0.1:3000',
'https://yourdomain.com', // Add your domain here
'https://www.yourdomain.com', // Add www version if needed
// ... rest of configuration
],For testing purposes, you can temporarily disable origin checking by setting:
DISABLE_ORIGIN_CHECK=trueCreate a .env.production file or set these in your deployment platform:
# Required: Add your production domain
ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
# Optional: API Security Key (generate a strong random key)
REDIS_GUI_API_KEY=your-very-secure-random-key-here
# Optional: Rate Limiting Configuration
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX_REQUESTS=100
# Optional: Disable origin check (NOT recommended for production)
# DISABLE_ORIGIN_CHECK=true
# Schema Advisor Limits (for large datasets)
SCHEMA_ADVISOR_MAX_KEYS_WEB=10000 # Web deployment limit (most restrictive)
SCHEMA_ADVISOR_MAX_KEYS=50000 # Production deployment limit
SCHEMA_ADVISOR_MAX_KEYS_DEV=100000 # Development limit (most permissive)
# Deployment Type Configuration
NODE_ENV=production
IS_WEB_DEPLOYMENT=true # Set to 'true' for web deployments (Vercel, Netlify, etc.)The application supports different deployment types with appropriate limits for schema analysis:
- Use case: Shared hosting platforms (Vercel, Netlify, etc.)
- Default limit: 10,000 keys
- Reasoning: Shared resources, multiple users, performance protection
- Environment:
NODE_ENV=production+IS_WEB_DEPLOYMENT=true
- Use case: Dedicated production servers
- Default limit: 50,000 keys
- Reasoning: Dedicated resources, controlled environment
- Environment:
NODE_ENV=production+IS_WEB_DEPLOYMENT=false
- Use case: Local development
- Default limit: 100,000 keys
- Reasoning: Local environment, no shared resources
- Environment:
NODE_ENV=development
You can override the default limits by setting environment variables:
# For web deployments
SCHEMA_ADVISOR_MAX_KEYS_WEB=5000
# For production deployments
SCHEMA_ADVISOR_MAX_KEYS=25000
# For development
SCHEMA_ADVISOR_MAX_KEYS_DEV=50000- Go to your project dashboard
- Navigate to Settings > Environment Variables
- Add these environment variables:
ALLOWED_ORIGINSwith your domainIS_WEB_DEPLOYMENT=true(for web deployment limits)SCHEMA_ADVISOR_MAX_KEYS_WEB=10000(optional, customize limit)
- Redeploy your application
- Go to Site settings > Environment variables
- Add these environment variables:
ALLOWED_ORIGINSwith your domainIS_WEB_DEPLOYMENT=true(for web deployment limits)SCHEMA_ADVISOR_MAX_KEYS_WEB=10000(optional, customize limit)
- Redeploy your site
Add to your docker-compose.yml or Dockerfile:
environment:
- ALLOWED_ORIGINS=https://yourdomain.comTo see what origins are being blocked, check your server logs. The security middleware will log:
- The origin that was blocked
- The current allowed origins list
- Always use HTTPS in production
- Never disable origin checking without understanding the security implications
- Use specific domains instead of wildcards when possible
- Regularly review your allowed origins list
- Monitor logs for unauthorized access attempts
After setting up the environment variables:
- Deploy your application
- Try accessing it from your production domain
- Check the browser console for any security errors
- Verify that API calls work correctly
If you're still having issues, check the server logs for the exact origin being blocked and add it to your allowed origins list.