Hi all,
I installed Vikunja tonight for the first time, and to say it’s been a rough ride in an understatement. Pulling the docker image and getting it up and running was trivially easy, but after that,whew. First I dealt with the fact that the latested published desktop apps are broken (Windows and Linux) . I then when to the unstable, and those fired right up, but I’ve now spent hours trying to get CORS working with Vikunja (Docker, behind Nginx Proxy Manager), and after trying every documented approach and several community suggestions, I’m still unable to get the API to return any Access-Control-Allow-Origin header. I’m posting here in hopes someone can spot what I’ve missed.
Environment
- Vikunja version: Tried Unstable, 0.24.6 and 0.24.4
- Deployment: Docker Compose (see below)
- Frontend: Official desktop app and browser
- Proxy: Nginx Proxy Manager (NPM)
- Tried both with and without config.yml
Symptoms
-
Desktop app fails to connect to API due to CORS.
-
Browser console (within Electron app) shows:
Access to XMLHttpRequest at 'https://[my_subdomain].[my_domain].com/api/v1/info' from origin 'http://127.0.0.1:45735' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. -
Curl requests to API endpoints (with Origin header) never return
Access-Control-Allow-Origin, even with CORS enabled and origins set.
What I’ve Tried
Docker Compose Setup
services:
vikunja:
image: vikunja/vikunja:0.24.6
container_name: vikunja
environment:
VIKUNJA_SERVICE_PUBLICURL: https://[my_subdomain].[my_domain].com
VIKUNJA_DATABASE_TYPE: mysql
VIKUNJA_DATABASE_HOST: db
VIKUNJA_DATABASE_USER: [redacted]
VIKUNJA_DATABASE_PASSWORD: [redacted]
VIKUNJA_DATABASE_DATABASE: vikunja
VIKUNJA_SERVICE_JWTSECRET: [redacted]
VIKUNJA_SERVICE_ENABLEREGISTRATION: false
VIKUNJA_CORS_ENABLE: "true"
VIKUNJA_CORS_ORIGINS: "http://127.0.0.1:45735,https://127.0.0.1:45735,https://[my_subdomain].[my_domain].com,http://localhost:45735"
ports:
- "3456:3456"
volumes:
- ./files:/app/vikunja/files
networks:
- nginx_network
restart: unless-stopped
db:
image: mariadb:10
container_name: vikunja_db
environment:
MYSQL_ROOT_PASSWORD: [redacted]
MYSQL_USER: [redacted]
MYSQL_PASSWORD: [redacted]
MYSQL_DATABASE: vikunja
volumes:
- ./db:/var/lib/mysql
networks:
- nginx_network
restart: unless-stopped
- I’ve also tried a minimal compose file with only CORS variables and SQLite—same result.
What I’ve Confirmed
-
No
config.ymlpresent (although I’ve also tried with a config file to no avail) -
Other environment variables work (e.g., toggling registration).
-
Tried wildcards (
VIKUNJA_CORS_ORIGINS: "*") and single origins. -
Full
docker-compose down -v, deleted all volumes, restarted. -
Tried unstable, 0.24.6 and 0.24.4.
-
Curl direct to container (no proxy):
curl -I -H "Origin: http://127.0.0.1:45735" http://localhost:3456/api/v1/infoResponse is always:
HTTP/1.1 401 Unauthorized Vary: OriginNo
**Access-Control-Allow-Origin**header.
Nginx Proxy Manager (NPM) Attempts
- Added all recommended
add_headerlines in the “Advanced” tab. - Tried with and without wildcards, and with specific origins.
- Still no CORS headers on API responses, confirmed with browser and curl.
Community/Docs Review
- Offical docs and multiple forum threads suggest my config should work.
- Other users have reported similar issues, but most eventually resolve with a config or restart fix. I’ve tried all those steps.
Summary Table
| Step/Change | Result |
|---|---|
| CORS env vars set | No CORS headers in API response |
| Wildcard origins | No CORS headers |
| Minimal Compose setup | No CORS headers |
| NPM add_header | No CORS headers |
| Direct curl to container | No CORS headers |
| Other env vars work | Yes (e.g., registration toggle) |
What am I missing? Any advice would be appreciated. Thanks.
