By default, Countly allows API requests from any origin (Access-Control-Allow-Origin: *).
This is intentional, as Countly cannot know in advance which domains will be used by customer websites and applications.
This default behavior is similar to how Countly ships with HTTP enabled by default — secure, opinionated defaults that work out of the box, while still allowing you to apply stricter controls when needed.
If you want to restrict API access to specific domains, follow the workflow below.
Recommended Migration Workflow
If you already have applications in production, we recommend migrating gradually to avoid breaking existing integrations.
1. Identify Reporting Domains per Application
For each application using the Countly SDK, determine:
- Which website domains are sending data to Countly
- Which teams or projects own those applications
Applications Affected
This step is important because CORS restrictions are applied per application, not globally. So specific app keys would only work from particular domains.
2. Configure Allowed Origins per Application
For each application:
- Go to
Management → Applications → [Your Application] → App Settings Open Access Control Origin
Add the required domains (for example):
https://example.com https://app.example.com- Save the changes
These domains will now be allowed to send data only for this specific application and app key.
3. Verify That CORS Is Working Correctly
After adding domains, ask the application team to verify the server response headers.
Previously, the response header would look like:
Access-Control-Allow-Origin: *After configuration, it should return this for your domain:
Access-Control-Allow-Origin: https://your-domain.comIf the requesting domain appears in the response header, the CORS filter is configured correctly and the application should work as expected.
4. Disable Global “Allow Any Origin” Header
Once:
- All teams have confirmed their applications are working or
- A migration deadline has been reached
You can disable the global wildcard CORS header.
Steps:
- Go to
Settings → Security → API Headers Remove the value:
Access-Control-Allow-Origin: *- Save the changes
After this:
- Countly will no longer respond with wildcard
*to:- newly created applications
- applications that you have not set Access-Control-Origin
- API access will only work for domains explicitly configured in application settings
5. Handling Future Applications or Issues
If, in the future, a team reports that:
- The SDK cannot reach the Countly server
- The browser shows a CORS-related error
They will need to:
- Add their website domain under
Management → Applications → App Settings → Access Control Origin
This ensures continued security while allowing controlled expansion.