fix(server,client): CORS is a real nightmare

api-server/server/middlewares/constant-headers.js

@@ -1,6 +1,9 @@
+import { homeLocation } from '../../../config/env';
+
 export default function constantHeaders() {
   return function(req, res, next) {
-    res.header('Access-Control-Allow-Origin', '*');
+    res.header('Access-Control-Allow-Origin', homeLocation);
+    res.header('Access-Control-Allow-Credentials', true);
     res.header(
       'Access-Control-Allow-Headers',
       'Origin, X-Requested-With, Content-Type, Accept'

client/src/utils/ajax.js

@@ -1,6 +1,7 @@
 import axios from 'axios';
 
 const base = '/internal';
+axios.defaults.withCredentials = true;
 
 function get(path) {
   return axios.get(`${base}${path}`);