From 4bd9218bf504d79021e89512c8c1414e7e5e5654 Mon Sep 17 00:00:00 2001
From: derekc <cooperd12003@msn.com>
Date: Tue, 10 Mar 2026 22:39:59 -0700
Subject: [PATCH] Clarify CORS_ORIGINS config in README with reverse proxy
 warning

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 README.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 46105b8..12d60dc 100644
--- a/README.md
+++ b/README.md
@@ -148,7 +148,11 @@ ALGORITHM=HS256
 ACCESS_TOKEN_EXPIRE_MINUTES=30
 REFRESH_TOKEN_EXPIRE_DAYS=30
 
-# Your host IP or domain (no trailing slash)
+# Comma-separated list of allowed origins (no trailing slash)
+# IMPORTANT: Add every domain/IP you access the app from.
+# If you use a reverse proxy (e.g. Nginx Proxy Manager) with a custom domain,
+# you MUST add that domain here or API requests will be blocked by the browser.
+# Example: CORS_ORIGINS=http://localhost:8054,https://homeschool.example.com
 CORS_ORIGINS=http://localhost:8054
 
 # Super admin credentials (for /super-admin)
@@ -319,7 +323,7 @@ The TV dashboard connects to `ws://host/ws/{child_id}` and receives JSON events:
 | `ALGORITHM` | No | JWT algorithm (default: `HS256`) |
 | `ACCESS_TOKEN_EXPIRE_MINUTES` | No | Access token lifetime (default: `30`) |
 | `REFRESH_TOKEN_EXPIRE_DAYS` | No | Refresh token lifetime (default: `30`) |
-| `CORS_ORIGINS` | No | Comma-separated allowed origins (default: `http://localhost:8054`) |
+| `CORS_ORIGINS` | No | Comma-separated allowed origins (default: `http://localhost:8054`). **Add every domain you access the app from**, including any custom domain behind a reverse proxy (e.g. `http://localhost:8054,https://homeschool.example.com`). Missing an origin causes API requests to be silently blocked by the browser. |
 | `ADMIN_USERNAME` | No | Super admin login username (default: `admin`) |
 | `ADMIN_PASSWORD` | No | Super admin login password (default: `change_me_admin_password`) |