> Should I still set the CORS allow_origins setting to
http://localhost:3000/ as that's where my front end is running locally or should it be my public IP address?
localhost:3000
> In the log files - I get this message: Exception: Since your API and website domain are different, for sessions to work, please use https on your apiDomain and don't set cookieSecure to false. I'm getting the SSL/TLS certificate sorted but don't know where the cookieSecure setting is to check it?
You need to use an apiDomain that starts with
https://
. If you can't do that, switch to using header based auth.