# Security
# CORS Security
CORS (Cross-Origin Resource Sharing) is a mechanism that allows a client to interact with an API endpoint which hails from a different domain, subdomain, port, or protocol. DreamFactory is configured by default to disallow all outside requests, so before you can integrate a third-party client such as a web or mobile application, you'll need to enable CORS.
You can modify your CORS settings in DreamFactory under the Config
tab. You'll be presented with the following interface:

To enable CORS for a specific originating network address such and an IP address or domain, press the plus +
button located at the top of the screen. Doing so will enable all of the configuration fields found below:
Path
: ThePath
field defines the path associated with the API you're exposing via this CORS entry. For instance if you've created a Twitter API and would like to expose it, the path might be/api/v2/twitter
. If you want to expose all APIs, use*
.Description
: TheDescription
field serves as a descriptive reference explaining the purpose of this CORS entry.Origins
: TheOrigins
field identifies the network address making the request. If you'd like to allow more than one origin (e.g. www.example.com and www2.example.com), separate each by a comma (www.example.com,ww2.example.com
). If you'd like to allow access from anywhere, supply an asterisk*
.Headers
: TheHeaders
field determines what headers can be used in the request. Several headers are whitelisted by default, includingAccept
,Accept-Language
,Content-Language
, andContent-Type
. When set, DreamFactory will send as part of the preflight request the list of declared headers using theAccess-Control-Allow-Headers
header.Exposed Headers
: TheExposed Headers
field determines which headers are exposed to the client.Max Age
: TheMax Age
field determines how long the results of a preflight request (the information found in theAccess-Control-Allow-Methods
andAccess-Control-Allow-Headers
headers) can be cached. This field's value is passed along to the client using theAccess-Control-Max-Age
field.Methods
: TheMethods
field determines which HTTP methods can be used in conjunction with this CORS definition. The selected values will be passed along to the client using theAccess-Control-Allow-Methods
field.Supports Credentials
: TheSupports Credentials
field determines whether this CORS configuration can be used in conjunction with user authentication. When enabled, theAccess-Control-Allow-Credentials
header will be passed and set totrue
.Enabled
: To enable the CORS configuration, make sure this field is enabled.
Always make sure your CORS
settings are only set for the appropriate "scheme/host/port tuple" to ensure you are observing the maximum security you can by only allowing cross origin resources access when there is no other way around it. For a great explanation of CORS
, refer to these articles:
# Securing Your Web Traffic
From a networking standpoint DreamFactory is a typical web application, meaning you can easily encrypt all web traffic between the platform and client using an SSL certificate. Unless you've already taken steps to add an SSL certificate to your web server, by default your DreamFactory instance will run on port 80, which means all traffic between your DreamFactory server and client will be unencrypted and therefore subject to capture and review. To fix this, you'll want to install an SSL certificate. One of our favorite resources to create SSL certificates is Let's Encrypt.
Below are resources on how to add an SSL cert to your web server:
# Securing Your Credentials
When generating APIs using DreamFactory's native connectors, you'll logically need to supply a set of credentials so DreamFactory can connect to and interact with the underlying data source. These credentials are stored in the system database, and are encrypted using AES-256 encryption. The credentials are decrypted on-the-fly when DreamFactory connects to the destination data source, and are never cached in plaintext.
# Suppressing Errors
When running DreamFactory in a production environment, be sure to set the .env
file's APP_ENV
value to production
and APP_DEBUG
to false
. Leaving it set to local
will result in detailed error-related information being returned to the client rather than quietly logged to the log file. When set properly in a production environment, your .env
file will look like this:
...
APP_DEBUG=false