I have a REST API written in Golang and front-end written in Angular running locally. The API is running on localhost:8000 and the Angular app is running on localhost:4200. My Angular application makes frequent GET/POST/DELETE/PUT calls to my API. I would like to keep my API and Angular app separated so that if later I want to add Android or iOS client, I can easily do so with my existing API.
The problem that I have is that both the server and web browser prevent me from CORS, especially for POST methods, and I have taken following action for local development:
- Add
Access-Control-Allow-Origin: *to my Golang API response headers. - Run Chromium browser with web security disabled (otherwise the browser is going to convert POST to OPTIONS):
$ chromium --disable-web-security --user-data-dir
With the settings above, I can run my Angular app on localhost:4200 and call my API at localhost:8000 without issue.
I want to know how I should set up this in production.
My API will be deployed at https://api.myapp.mywebsite.com, for example, and my Angular app will be deployed at https://myapp.mywebsite.com (and they will most likely to be on different physical servers and IP). While I can still make my API accept calls from other origins, I cannot make all my clients running my Angular app in unsafe mode.
What am I missing here?
