Configuring CORS in Countly

By default, Countly allows API requests from any origin (Access-Control-Allow-Origin: *).
This is intentional, as Countly cannot know in advance which domains will be used by customer websites and applications.

This default behavior is similar to how Countly ships with HTTP enabled by default — secure, opinionated defaults that work out of the box, while still allowing you to apply stricter controls when needed.

If you want to restrict API access to specific domains, follow the workflow below.

Recommended Migration Workflow

If you already have applications in production, we recommend migrating gradually to avoid breaking existing integrations.

1. Identify Reporting Domains per Application

For each application using the Countly SDK, determine:

  • Which website domains are sending data to Countly
  • Which teams or projects own those applications

Applications Affected

This step is important because CORS restrictions are applied per application, not globally. So specific app keys would only work from particular domains.

2. Configure Allowed Origins per Application

For each application:

  1. Go to
    Management → Applications → [Your Application] → App Settings
  2. Open Access Control Origin

    Add the required domains (for example):

    https://example.com
    https://app.example.com
  3. Save the changes

These domains will now be allowed to send data only for this specific application and app key.

3. Verify That CORS Is Working Correctly

After adding domains, ask the application team to verify the server response headers.

Previously, the response header would look like:

Access-Control-Allow-Origin: *

After configuration, it should return this for your domain:

Access-Control-Allow-Origin: https://your-domain.com

If the requesting domain appears in the response header, the CORS filter is configured correctly and the application should work as expected.

4. Disable Global “Allow Any Origin” Header

Once:

  • All teams have confirmed their applications are working or
  • A migration deadline has been reached

You can disable the global wildcard CORS header.

Steps:

  1. Go to
    Settings → Security → API Headers
  2. Remove the value:

    Access-Control-Allow-Origin: *
  3. Save the changes

After this:

  • Countly will no longer respond with wildcard * to:
    • newly created applications
    • applications that you have not set Access-Control-Origin
  • API access will only work for domains explicitly configured in application settings

5. Handling Future Applications or Issues

If, in the future, a team reports that:

  • The SDK cannot reach the Countly server
  • The browser shows a CORS-related error

They will need to:

  • Add their website domain under
    Management → Applications → App Settings → Access Control Origin

This ensures continued security while allowing controlled expansion.

Was this page helpful?
Reach out to us for any other questions.
Helpful?

Looking for more Help?