Simplify your stack and build anything. Or everything.

USE CASES

Headless CMS Enterprise App Builder Headless E-Commerce Digital Asset Management

FEATURES

Multi-Tenancy White Label Localization Access Control Auth

CASE STUDIES

See what others are building with Payload.

Browse Case Studies

Build tomorrow’s web with a modern solution you truly own.

PAYLOAD IS FOR

Developers Marketing teams Enterprise companies Agencies & Consultancies

COMPARE PAYLOAD

Payload vs WordPress Payload vs Contentful Payload vs Sanity Payload vs Strapi Payload vs Directus

AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a Partner Find a Partner

Code-based nature means you can build on top of it to power anything.

Resources

Documentation Examples Templates GitHub Releases Blog Guides & Tutorials

Community

Roadmap Discord Community Help

Resources for Developers

Get the resources you need to start building today

Guides & Tutorials Explore Docs

It’s time to take back your content infrastructure.

Schedule a Demo

Enterprise Features

SSO AI Auto-Embedding Publishing Workflows Visual Editor Static A/B testing AI features

Customer Stories

Microsoft ASICS Blue Origin Hello Bello Tekton

Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case study Browse all

Community Help

CORS & CSRF settings for SSR

ajskates98last year

Hi!

I am using NextJS alongside Payload for my website.

I am using the app directory and as such a lot of my data fetching happens serverside.

When I am running locally, next runs on

localhost:3000

and payload runs on

localhost:3001

When running in production they are in sibling docker-compose containers. This means that they can send requests to each other using

http://payload:3001

and

http://next:3000

respectively.

How would I set up my config to allow for serverside requests. I have only tried in dev so far and have tried passing

["localhost:3000"]

to both the

cors

and

csrf

properties, as well as trying the wildcard option.

I consistently get a 403 Forbidden error when trying to fetch data.

Thanks in advance!

notchrlast year
@1121426427565326520
Morning! Can you please share the specific CORS / CSRF error? Is it an allowed origin error?
ajskates98last year
It was a PICNIC error :/

I hadn't configured access in my collection
notchrlast year
Picnic?

Ahh that will do it
ajskates98last year
Problem in chair, not in computer
notchrlast year
Ahhhhh

lmao

well I'm glad it's resolved

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.