CORS Whitelist

We have a self-hosted octopus server and we are utilizing the octopus API.

Under Configuration → Web Portal ->CORS whitelisting, we added comma-separated values and ran into CORS errors from the consuming application. However a wildcard works

Working whitelist values : *
Whitelist values that do not work :

  1. *
  2. * , *

Was hoping to get an example of whitelisting specific URI’s and domain-level wildcards.
( We are in version 2022.3.10594 )

Hi @vveerappan,

Thanks for reaching out, and welcome to the Octopus Deploy community!

In doing some digging on your request, it looks like this behavior is determined by the CORS specification, which allows for the following valid values within the Access-Control-Allow-Origin header:

  • * (global wildcard)
  • null
  • exact protocol + domain + port

So unfortunately you wouldn’t be able to use domain-specific wildcards for this within Octopus Deploy as the valid values are determined by the CORS specification itself, and you would instead either need to use a global wildcard or the specific domain(s)/subdomain(s), protocol(s), and port(s).

Sorry I don’t have better news for you on this, but let me know if you have any additional questions or if I can be of any more help and I would be glad to assist further.

Best regards,


This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.