Access-Control-Allow-* (CORS)

(Ofer) #1

Hello team

  1. We have IaaS OD server in azure.
    Until now we worked with self host agent (Build Server) to get packages from AzureDevops and deply it to our webapps. we would like to move to Hosted agents on Azuredevops, there for we’ll need to expose OD url to public. Can we use Access-Control-Allow-* (CORS) to restricts access to Octopus portal only to AzureDevops and our internal LAN?

  2. We’re in progress to move to octopus SaaS, Is there any security setting on octopus cloud that will provide the same security functionality as above ?

With Many thanks

(Jason Brown) #3

Hi Ofer,

My name’s Jason and I’m a Cloud Architect here at Octopus.

Yes, we do allow CORS whitelisting in Octopus Deploy. Under Configuration -> Web Portal you’ll see a field for CORS whitelisting. You can put a comma-separated list of domains into this field to restrict access to your Octopus instance.

This setting is available in Self-Hosted Octopus and in Octopus Cloud.

Hope this helps!



(Ofer) #4

Many Thanks Jason

In the domain list I understand that I can white list any domain which communicate with OD portal,
but how to white list our External corporate IP? so the portal will not be available to others except our corporate LAN?
Is Octopus cloud offer such security setting ?


(Jason Brown) #5

Hi Ofer,

If you mean VPN or Firewall whitelisting, no, we currently don’t offer that in Octopus Cloud. Octopus Cloud instances are exposed to the internet on Ports 443 and 10943.

If this is something you’d like us to support in the future, feel free to suggest or vote for it on our UserVoice site.