CORS Not Working with Vikunja API (Docker/Nginx Proxy Manager)

Hi all,

I installed Vikunja tonight for the first time, and to say it’s been a rough ride in an understatement. Pulling the docker image and getting it up and running was trivially easy, but after that,whew. First I dealt with the fact that the latested published desktop apps are broken (Windows and Linux) . I then when to the unstable, and those fired right up, but I’ve now spent hours trying to get CORS working with Vikunja (Docker, behind Nginx Proxy Manager), and after trying every documented approach and several community suggestions, I’m still unable to get the API to return any Access-Control-Allow-Origin header. I’m posting here in hopes someone can spot what I’ve missed.


Environment

  • Vikunja version: Tried Unstable, 0.24.6 and 0.24.4
  • Deployment: Docker Compose (see below)
  • Frontend: Official desktop app and browser
  • Proxy: Nginx Proxy Manager (NPM)
  • Tried both with and without config.yml

Symptoms

  • Desktop app fails to connect to API due to CORS.

  • Browser console (within Electron app) shows:

    Access to XMLHttpRequest at 'https://[my_subdomain].[my_domain].com/api/v1/info' from origin 'http://127.0.0.1:45735' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
    
  • Curl requests to API endpoints (with Origin header) never return Access-Control-Allow-Origin, even with CORS enabled and origins set.


What I’ve Tried

Docker Compose Setup

services:
  vikunja:
    image: vikunja/vikunja:0.24.6
    container_name: vikunja
    environment:
      VIKUNJA_SERVICE_PUBLICURL: https://[my_subdomain].[my_domain].com
      VIKUNJA_DATABASE_TYPE: mysql
      VIKUNJA_DATABASE_HOST: db
      VIKUNJA_DATABASE_USER: [redacted]
      VIKUNJA_DATABASE_PASSWORD: [redacted]
      VIKUNJA_DATABASE_DATABASE: vikunja
      VIKUNJA_SERVICE_JWTSECRET: [redacted]
      VIKUNJA_SERVICE_ENABLEREGISTRATION: false
      VIKUNJA_CORS_ENABLE: "true"
      VIKUNJA_CORS_ORIGINS: "http://127.0.0.1:45735,https://127.0.0.1:45735,https://[my_subdomain].[my_domain].com,http://localhost:45735"
    ports:
      - "3456:3456"
    volumes:
      - ./files:/app/vikunja/files
    networks:
      - nginx_network
    restart: unless-stopped

  db:
    image: mariadb:10
    container_name: vikunja_db
    environment:
      MYSQL_ROOT_PASSWORD: [redacted]
      MYSQL_USER: [redacted]
      MYSQL_PASSWORD: [redacted]
      MYSQL_DATABASE: vikunja
    volumes:
      - ./db:/var/lib/mysql
    networks:
      - nginx_network
    restart: unless-stopped
  • I’ve also tried a minimal compose file with only CORS variables and SQLite—same result.

What I’ve Confirmed

  • No config.yml present (although I’ve also tried with a config file to no avail)

  • Other environment variables work (e.g., toggling registration).

  • Tried wildcards (VIKUNJA_CORS_ORIGINS: "*") and single origins.

  • Full docker-compose down -v, deleted all volumes, restarted.

  • Tried unstable, 0.24.6 and 0.24.4.

  • Curl direct to container (no proxy):

    curl -I -H "Origin: http://127.0.0.1:45735" http://localhost:3456/api/v1/info
    

    Response is always:

    HTTP/1.1 401 Unauthorized
    Vary: Origin
    

    No **Access-Control-Allow-Origin** header.

Nginx Proxy Manager (NPM) Attempts

  • Added all recommended add_header lines in the “Advanced” tab.
  • Tried with and without wildcards, and with specific origins.
  • Still no CORS headers on API responses, confirmed with browser and curl.

Community/Docs Review

  • Offical docs and multiple forum threads suggest my config should work.
  • Other users have reported similar issues, but most eventually resolve with a config or restart fix. I’ve tried all those steps.

Summary Table

Step/ChangeResult
CORS env vars setNo CORS headers in API response
Wildcard originsNo CORS headers
Minimal Compose setupNo CORS headers
NPM add_headerNo CORS headers
Direct curl to containerNo CORS headers
Other env vars workYes (e.g., registration toggle)

What am I missing? Any advice would be appreciated. Thanks.

Welcome! :waving_hand:

If you tried with a config file, how did you specify the cors origins?

You’ll need to specify them as a list, not separated by a comma. That’s only supported with the yaml file. By default, all origins are in the allow list, but cors itself is not enabled. That means if you want to just allow everything, it’s enough to toggle VIKUNJA_CORS_ENABLE and leave out VIKUNJA_CORS_ORIGINS entirely.