Roots Discourse

Enable CORS header for uploads directory

Hi :wave:t3:

I have a WordPress multisite install that uses Trellis and Bedrock at (example subsite URLs:,, etc.).
I also have a client-side JS apps for each of our clients that interact with the corresponding WP backend subsite via WPGraphQL (example URLs:,, etc.)

From our frontend JS app, we need to be able to download image files from the WP /uploads directory and load them into a client-side image manipulation library that we use.

Currently though, attempts to do that result in a CORS error stating No 'Access-Control-Allow-Origin' header is present on the requested resource. This screenshot illustrates the issue:

If someone could tell me now to add that CORS header so that assets within the /uploads directory can be downloaded, I would appreciate it. I havenโ€™t been able to find documentation/examples. Do I need to add it in roles/wordpress-setup/templates/wordpress-site.conf.j2, somewhere, perhaps?

Please note that WPGraphQL already sets the header to 'Access-Control-Allow-Origin' => '*' in this file: So I already have that set for all requests that involve WordPress executing โ€“ itโ€™s just not set for requests for assets in the /uploads directory.


Hi Kellenmace,

I believe headers should be added via an nginx-includes directory.

Create a directory inside trellis called nginx-includes, then a file for the policies (I donโ€™t think the name matters) followed by conf.j2.

If you want this header to be applied to all sites being provisioned by Trellis. Create a sub directory called all, or one for each site specifically: (matching the domain in wordpress_sites


Here is an example of an item I have inside my nginx-includes, so you see the format.

# {{ ansible_managed }}

{% if env != 'development' -%}
# Prevent logging of assets and cache for maximum time
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ {
    expires max;
    add_header Pragma public;
    add_header Cache-Control "public";
    add_header Vary "Accept-Encoding";
    access_log off;
    log_not_found off;
{%- endif %}

I am not too sure what exact line(s) needs adding in order for it to target the items from /uploads directory, however hopefully the above will be a start.



There is also the nginx_embed_security option!

1 Like

This topic was automatically closed after 42 days. New replies are no longer allowed.