# Milky Shots MilkyShot logo _A place where to look for images_ **TODO: fill more information here** ## Configuration ### CORS allowed origins The API uses a CORS policy to control which browser origins may call it. Allowed origins are configured via the `CorsAllowedOrigins` key. **`appsettings.json` (default / development)** ```json { "CorsAllowedOrigins": [ "http://localhost:5269", "http://localhost:8080" ] } ``` **Environment variable (Docker / production)** Set the `CorsAllowedOrigins` environment variable to a **semicolon-separated** list of origins. This value **replaces** the entire array from `appsettings.json`, so you must list every origin you want to allow: ``` CorsAllowedOrigins=http://myserver:8080 # or multiple origins: CorsAllowedOrigins=http://myserver:8080;https://myserver.example.com ``` To allow any origin (useful when the server IP is unknown at deploy time): ``` CorsAllowedOrigins=* ``` > **⚠️ Security warning:** Setting `CorsAllowedOrigins=*` disables CORS origin > checking entirely — **any** website can make authenticated requests to the API from > a visitor's browser. Only use this option in fully trusted, self-hosted environments > where you control all network access. For any internet-facing deployment always > specify explicit origins instead. This is already set up in `docker-compose.yml` — override it with your server's hostname/IP if you are not running on localhost. ### Configuring CORS for the MilkStream frontend MilkStream is the Blazor WASM frontend that talks to the Lactose API. Because the browser fetches the API directly, the **origin of MilkStream as seen by the browser** must be listed in `CorsAllowedOrigins` on the Lactose service. The two services are mapped in `docker-compose.yml` as follows: | Service | Container port | Host port | Browser URL (default) | |------------|---------------|-----------|----------------------| | `lactose` | 8080 | **5162** | `http://yourserver:5162` | | `milkstream`| 8080 | **8080** | `http://yourserver:8080` | MilkStream's URL (`http://yourserver:8080`) must be added to Lactose's allowed origins, and `LactoseBaseUrl` on MilkStream must point to the URL the **browser** uses to reach Lactose (`http://yourserver:5162`). **Example — running on `myserver.local`:** ```yaml # docker-compose.yml (relevant excerpts) lactose: environment: - CorsAllowedOrigins=http://myserver.local:8080 # MilkStream origin seen by the browser milkstream: environment: - LactoseBaseUrl=http://myserver.local:5162/ # Lactose URL seen by the browser ``` **Example — running on localhost (default):** ```yaml lactose: environment: - CorsAllowedOrigins=http://localhost:8080 milkstream: environment: - LactoseBaseUrl=http://localhost:5162/ ``` If you expose MilkStream on a non-standard port or via HTTPS, adjust both values accordingly and list the exact `scheme://host:port` that appears in the browser's address bar.