nginx config notes

README.md

@@ -84,6 +84,10 @@ It's best not to serve Spothole directly on port 80, as that requires root privi
 Create a file at `/etc/nginx/sites-available/` called `spothole`. Give it the following contents, replacing `spothole.m0trt.radio` with the domain name on which you want to run Spothole. If you changed the port on which Spothole runs, update that on the "proxy_pass" line too.
 
 ```nginx
+map $request_uri $xssorigin {
+    ~^/api   *;
+}
+
 server {
     server_name spothole.m0trt.radio;
 
@@ -93,14 +97,14 @@ server {
     }
     
     location / {
-        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Origin $xssorigin;
         proxy_pass http://127.0.0.1:8080;
     }
 }
 ```
 
-One further change you might want to make to the file above is the `add_header Access-Control-Allow-Origin *;` statement. This is what's used on
-my own Spothole server to make sure that other third-party web-based software can get the data from my instance. If you want
+One further change you might want to make to the file above is the `add_header Access-Control-Allow-Origin` statement. This is what's used on
+my own Spothole server to make sure that other third-party web-based software can get the data from my instance, and applies to any endpoint underneath `/api`. If you want
 *your* Spothole instance to be set up the same way, so that others can write software in JavaScript that can access it,
 leave this intact. But if you want your Spothole instance to only be usable by scripts running on the web server you write,
 you can remove this block. (Note that this doesn't stop other people writing *non-web-based* software that accesses your