{"id":38596,"date":"2024-02-14T17:21:51","date_gmt":"2024-02-14T16:21:51","guid":{"rendered":"https:\/\/churchtools.academy\/help\/non-knowledgebase\/uncategorized\/cors\/"},"modified":"2026-02-09T12:40:13","modified_gmt":"2026-02-09T11:40:13","password":"","slug":"cors","status":"publish","type":"docs","link":"https:\/\/churchtools.academy\/en\/help\/system-settings\/api\/cors\/","title":{"rendered":"CORS"},"content":{"rendered":"\n

CORS stands for Cross-Origin Resource Sharing(MDN<\/a>). This is a security policy that is built into browsers to protect the user. In simple terms, this means that a website cannot simply (re)load external resources that do not belong to its own domain or are explicitly permitted. <\/p>\n\n\n\n

Example<\/strong><\/h2>\n\n\n\n

Your own congregation website is available at https:\/\/my-church-website.uk\/ <\/code>. All resources, CSS, JS or images are delivered from this domain. In other words, the header image, for example, can be viewed via the URL https:\/\/my-church-website.uk\/header.jpg<\/code>. In this case, the browser allows the header image to be loaded because the domain is the same.<\/p>\n\n\n\n

If the website attempts to load data from ChurchTools, e.g. to display the pastor’s contact details, the API https:\/\/my-congregation.church.tools\/api\/persons\/1<\/code> must be called. There are two scenarios that need to be distinguished here:<\/p>\n\n\n\n

Backend call<\/h3>\n\n\n\n

If your congregation website retrieves the contact data via the ChurchTools API using your own server (PHP, NodeJS, etc.), there are no problems. The call is declared as secure because it is your own server and nobody else has access to it. <\/p>\n\n\n\n

Front-end call<\/h3>\n\n\n\n

If the ChurchTools API is called via the frontend (Vanilla JS, jQuery, Angular, Vue or using HTML tags), the browser checks whether loading is permitted. The browser does this so that the user does not load third-party content that an attacker may have planted on them. The browser therefore asks ChurchTools whether your website with the domain meine-gemeinde-website.de<\/code> has permission to load this data. <\/p>\n\n\n\n

This is not allowed by default. This means that the API call will fail and no data will reach the website. <\/p>\n\n\n\n

Set CORS header<\/h2>\n\n\n\n

In order for the API call to succeed via the frontend, ChurchTools must send certain CORS headers in the response, which explicitly list all websites that are allowed to execute this call.<\/p>\n\n\n\n

You can set and manage the permitted URLs, also known as Access Control Allow Origins (4), in the system settings (1) under Integrations <\/em>(2) > Cross-Origin Resource Sharing<\/em> (3).<\/p>\n\n\n\n

\"System<\/a><\/figure>\n\n\n\n