Ackee requires correct CORS headers. ackee-tracker (the script that sends data from your sites to Ackee) won't be able to contact your server when the CORS headers aren't available or when they are configured incorrectly.
When a site wants to send data to a different domain it needs the permissions to do so. Browsers use an OPTIONS request (preflight request) that checks to see if the CORS protocol is understood.
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST, PATCH, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, Time-Zone
Access-Control-Allow-Credentials: true
Your server needs to allow requests from your sites (recommended) or from all sites (easier to implement, but insecure).
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Origin: *
The Access-Control-Allow-Origin header only allows one domain or a wildcard (*). Take a look at our advanced configuration if you want to allow requests from multiple domains without using the insecure wildcard.
ackee-tracker needs the permission to send GET, POST, PATCH and OPTIONS requests to the server.
Access-Control-Allow-Methods: GET, POST, PATCH, OPTIONS
The Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
Access-Control-Allow-Headers: Content-Type, Authorization, Time-Zone
The Access-Control-Allow-Credentials header tells the browser to include the ackee_ignore cookie in requests even when you're on a different (sub-)domain. This allows Ackee to ignore your own visits.
ℹ️ Some browsers strictly block third-party cookies when Ackee runs on a different domain than the site you're visiting. Therefore, it may happen that your own visits still find their way into your statistics.
Access-Control-Allow-Credentials: true
If you are running Ackee on a platform which handles SSL for you, you may want a quick solution for setting CORS headers instead of using a reverse proxy.
As an environment variable, you will need to set:
ACKEE_ALLOW_ORIGIN="https://example.com"
The proper header value for Access-Control-Allow-Origin will be set with the other headers being the recommended values.
It's also possible to allow requests from all domains (not recommended) or from multiple domains:
ACKEE_ALLOW_ORIGIN="*"
ACKEE_ALLOW_ORIGIN="https://example.com,https://example2.com"