How to configure CORS for Pley
Cross-Origin Resource Sharing (CORS) headers is required for your server to communicate with web browsers.
When your game runs on Pley, it needs to communicate with your backend server. Browsers enforce a security rule called CORS (Cross-Origin Resource Sharing) to allow this. You’ll need to configure your server to accept requests from Pley’s domain: https://*.prod.pley.games
. Here’s how to do it, even if you’re new to web development.
What You Need to Do
Configure your server to:
- Allow requests from
https://*.prod.pley.games
. All Pley requests come through[ID].prod.pley.games
. - Permit common methods like
GET
,POST
, andOPTIONS
. - Add the right CORS headers to its responses.
How-to:
- Find Your Server Config: Look for where your backend handles requests (e.g., code, settings, or a dashboard).
- Set Allowed Origins: Add
https://*.prod.pley.games
as an allowed origin. - Define Allowed Methods: Include at least
GET
,POST
, andOPTIONS
. - Return CORS Headers: Ensure responses include
Access-Control-Allow-Origin
with the Pley domain. - Testing: You can test your implementation by launching the game on the web and opening the browser developer console (
CTRL+Shift+i
orF12
opens the menu on Windows in most browsers.Cmd + Opt + i
on Mac.) If CORS is working, there should be no cross-origin related errors. Example:

Examples
Since every server is different, here are some examples. Adjust these to fit your setup.
Amazon S3
If your game files are on a service like Amazon S3, update its CORS policy. Paste this into your S3 bucket’s CORS settings. It tells S3 to allow Pley to access your game files. Since AWS supports wildcard characters (*
), the config is very simple. Here’s a sample config:
[
{
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedOrigins": ["https://*.prod.pley.games"]
}
]
Custom Server (C# Backend)
If you run a custom server, add logic to check the request’s Origin header and respond with CORS headers. Often, you can either allow all (*
) or a single domain by default. A solution to this is to programmatically check if the origin ends with prod.pley.games
.
Here’s a simple C# example:
const string ORIGIN_HEADER = "Origin";
const string PLEY_HOST_ENDING = "prod.pley.games";
public static void AddCorsHeaderToResponse(
string requestMethod, IDictionary<string, string> requestHeaders, APIGatewayProxyResponse response)
{
if (!requestHeaders.TryGetValue(ORIGIN_HEADER, out var requestOrigin))
{
// No Origin request header found
return;
}
if (!requestOrigin.EndsWith(PLEY_HOST_ENDING))
{
// The Origin request header does not end with `prod.pley.games`
return;
}
if (response.Headers == null)
response.Headers = new Dictionary<string, string>();
response.Headers.Add("Access-Control-Allow-Origin", requestOrigin);
if (requestMethod == "OPTIONS")
{
response.Headers.Add("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
response.Headers.Add("Access-Control-Allow-Headers", "*");
}
}
Updated 4 days ago