Exposing Foxx to the browser

    1. Accessing Foxx from an application server that exposes its own API.

    2. Using a web server like Apache or nginx as a reverse proxy to expose only the Foxx service.

    3. Exposing ArangoDB directly by running ArangoDB on a public port.

    Accessing Foxx from an application server is probably the safest approach as the application server shields the database from the browser entirely. However this also adds the most development overhead and may result in unnecessary duplication of access logic.

    This approach works best if you’re using Foxx in an existing application stack or want to use an ArangoDB driver to access the database API directly alongside your Foxx service.

    As Foxx services provide ordinary HTTP endpoints, you can access them from your existing application server using any run-of-the-mill HTTP client with JSON support. Some ArangoDB drivers also let you access arbitrary HTTP endpoints.

    Example (Node with arangojs):

    Example (nginx):

    Example (Apache):

    The advantage of this approach is that it allows you to expose just the service itself without exposing the entire database API.

    This approach also works well if you’re already using a web server to serve your web application frontend files and want your frontend to talk directly to the service.

    Note: when running Foxx behind a reverse proxy some properties of the request object will reflect the proxy rather than the original request source (i.e. the browser). You can tell Foxx to expect to run behind a trusted proxy by enabling the property of the service context:

    Foxx will then trust the values of the following request headers:

    • x-forwarded-host for req.hostname and
    • x-forwarded-port for req.port
    • x-forwarded-for for req.remoteAddress and

    Note that this property needs to be set in your main entry file. Setting it in the setup script has no effect.

    Unless your service is explicitly intended to be used by people who already have access to the ArangoDB web interface, you should go with one of the other approaches instead.

    Only use this for internal services intended to help users who already have full access to the database. Don’t ever expose your database to the public Internet.

    If you are running ArangoDB on a public port and want a web app running on a different port or domain to access it, you will need to enable CORS in ArangoDB.

    First you need to . As of 3.2 Foxx will then automatically allow all response headers as they are used.

    If you want more control over what is exposed or are using an older version of ArangoDB you can set the following response headers in your request handler:

    • access-control-allow-credentials: can be set to "false" to forbid exposing cookies. The default value depends on whether ArangoDB trusts the origin. See the notes on .