Closer to real production topology
Developer Guide
Written by Casper Fenger Jensen • Updated 2026-04-14
How to Split Frontend and API Origins in Local HTTPS Development
Keep the frontend and API on separate HTTPS origins in local development so you can test CORS, cookies, auth rules, and realistic host-based behavior.
One public hostname is not always enough. Many teams need the frontend and API on separate origins during development because production behaves that way. Bore supports that split without requiring a locally maintained reverse-proxy setup.
frontend api separate origin local devlocal https app and api subdomainslocal dev cors https origins
Install Bore
curl -sL https://bore.dk/install.sh | bashUseful for CORS and auth testing
Works with child hosts under one reserved namespace
How It Works
Simple local workflow, real HTTPS externally
Step 1
Expose the frontend namespace
Start the main app locally and create its HTTPS URL with Bore.
bore up 3000Step 2
Reserve a child host for the API
Add a child host under the same namespace for the backend service.
bore host add <namespace> apiStep 3
Point the child host at the API port
Route the child host to the API's local port.
bore host set-port <namespace> api 3001Step 4
Use the split origins in development
Keep the frontend on the root hostname and the API on the child host while testing real origin boundaries.
Where Bore Differs
Bore can keep HTTPS on reserved child hosts too
Most tunnel workflows stop at one public hostname. Bore can keep your main app on one HTTPS namespace and reserve a child host like `api.<namespace>.bore.dk` for a second local service.
bore host add <namespace> api
bore host set-port <namespace> api 3001That matters when frontend and API origins need to stay separate in local development, or when webhook, auth, and admin traffic should not all share one hostname.
FAQ
Common questions
Why split frontend and API origins locally?
Because some CORS, cookie, and auth behaviors only show up when the app and API are actually on separate origins, just like production.
Can Bore keep both origins under one namespace?
Yes. Bore can keep the app on the root hostname and reserve a child host such as api.<namespace>.bore.dk for the API.
Is this better than hand-rolled local proxy config?
For many teams, yes. Bore keeps the local services simple and moves the public HTTPS routing to a reusable, persistent tunnel setup.
Related Guides
More HTTPS development guides
HTTPS for Child Subdomains in Local Development
Bore lets you expose a local app on one HTTPS hostname and a second local service on a reserved child host like api.bo.bore.dk. That makes app and API origin splits much easier in development.
How to Expose a Local API Over HTTPS
Put a local API on a real HTTPS URL for browser clients, mobile apps, webhook callbacks, and partner integrations without adding local TLS complexity.
How to Open Localhost on HTTPS From Your Phone or Another Device
Test a local app or API on a phone, tablet, or another laptop over HTTPS without opening your whole machine to the internet or sharing raw LAN URLs.
How to Put a Local Website on HTTPS
Expose a local website over HTTPS without managing local certificates. Bore gives localhost a real HTTPS URL for browser testing, callbacks, and webhook flows.