cassette-player/CORS.md

For DreamHost hosting, the owner of `feed.falsefinish.club` can configure CORS headers using an `.htaccess` file in the root directory of the site (or in the specific directory serving the audio files).

## Setting CORS Headers on DreamHost

Create or edit the `.htaccess` file in the web root (typically `~/falsefinish.club/feed/` or wherever the audio files are served from) and add:

```apache
# Enable CORS for echo-reality.com
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "https://echo-reality.com"
    Header set Access-Control-Allow-Methods "GET, HEAD, OPTIONS"
    Header set Access-Control-Expose-Headers "ETag, Last-Modified, Content-Length"
</IfModule>

# Handle preflight OPTIONS requests
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]
</IfModule>
```

### If targeting specific file types only (recommended)

To apply CORS headers only to audio files:

```apache
<IfModule mod_headers.c>
    <FilesMatch "\.(mp3|mp4|wav|ogg|m4a)$">
        Header set Access-Control-Allow-Origin "https://echo-reality.com"
        Header set Access-Control-Allow-Methods "GET, HEAD, OPTIONS"
        Header set Access-Control-Expose-Headers "ETag, Last-Modified, Content-Length"
    </FilesMatch>
</IfModule>
```

### For multiple origins (if needed during development)

If you need to allow both the production domain and a local development server:

```apache
<IfModule mod_headers.c>
    SetEnvIf Origin "^https://(echo-reality\.com|localhost:3000)$" CORS_ORIGIN=$0
    Header set Access-Control-Allow-Origin "%{CORS_ORIGIN}e" env=CORS_ORIGIN
    Header set Access-Control-Allow-Methods "GET, HEAD, OPTIONS"
    Header set Access-Control-Expose-Headers "ETag, Last-Modified, Content-Length"
</IfModule>
```

### How to add the .htaccess file on DreamHost

1. **Via SFTP/FTP**: Connect to the server using an FTP client (like FileZilla) and upload/edit the `.htaccess` file in the appropriate directory

2. **Via DreamHost Panel File Manager**: Log into the DreamHost panel → Manage Websites → Files → navigate to the directory and create/edit `.htaccess`

3. **Via SSH** (if enabled): SSH into the server and use a text editor like `nano` or `vim`

### Important notes for DreamHost

- DreamHost's shared hosting uses Apache, so `.htaccess` files work out of the box
- The `mod_headers` module is enabled by default on DreamHost
- Make sure the `.htaccess` file has proper permissions (644)
- Changes take effect immediately—no server restart needed

### Testing the configuration

After adding the `.htaccess` file, the owner can verify it's working by checking the response headers:

```bash
curl -I -X OPTIONS -H "Origin: https://echo-reality.com" \
  "https://feed.falsefinish.club/Echo%20Reality/PINK%20FLIGHT/MP3%20BOUNCE/01.%20PINK%20FLIGHT%20ATTENDANT.mp3"
```

The response should include the `Access-Control-Allow-Origin: https://echo-reality.com` header.

### Quick test `.htaccess` for DreamHost

```apache
# TEMPORARY - Allow all origins for testing
<IfModule mod_headers.c>
    <FilesMatch "\.(mp3|mp4|wav|ogg|m4a)$">
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Methods "GET, HEAD, OPTIONS"
        Header set Access-Control-Expose-Headers "ETag, Last-Modified, Content-Length"
    </FilesMatch>
</IfModule>
```

This limits the wildcard CORS to just media files, which is a reasonable middle ground—your audio files are publicly accessible but you're not opening up everything on the domain.