You can set the port in the config instead of editing the server.js file.
Add a user_config.json file in the app/config folder.
{
"port": 5000
}
Enable cors and set origin to *, it will then set the headers to reflect the request origin send by the client.
Thanks @patrick
But there's no app folder on a framework7 project.
Created one but it doesn't seem to work
PS:
But when we use credentials = true, should not avoid * ?
If a request includes a credential (most commonly a
Cookieheader) and the response includes anAccess-Control-Allow-Origin: *header (that is, with the wildcard), the browser will block access to the response, and report a CORS error in the devtools console.
My mistake, was thinking you were using NodeJS Server Connect since you mentioned editing the server.js file and didn't read all the above posts. See that you edit the Wappler internal server, we could perhaps make an option for the port that you can set globally within Wappler. It currently uses a random unused port, configuring a port that is in use will break design view since it also uses the internal server.
Thanks, for now, since the port change every time project is changed, there's no other workaround for testing own API's on a mobile/desktop project.
We fall into an endless loop.
But the mobile projects donāt expose any apiās as they donāt have server connect. So you probably have your apiās in a separate NodeJS project which already have a fixed port like 3000
So Iām a bit confused about the problem hereā¦
It's a very simple problem, but maybe my english doesn't help haha.
Go to mobile project and preview your call to the backend, could be a simple query or a login. You'll find a problem with cors, since localhost:51492 is not on the list.
So you go to the backend project and you add it on the config file/cors tab of config: otherwise you'll have a cors problem
When you close the backend project, and re-open your mobile project:
You have a cors problem again because :47921 is not added, the port has changed
So you go to your backend project, and you add the new one:
You close the backend project, re open the mobile project, and the port changed again:
Repeat till you lose your mind 
But what if you specify just * as cors origin and no urls at all?
As far as I know, that's not a possibility because credentials are sended:
When responding to a credentialed request, the
Access-Control-Allow-Originheader value must be fully qualified; the wildcard value*is not permitted.
No * is a special case for our nodejs and even php implementation and it means reflect the calling url.
So it should work.
We use the a general nodejs cors module and when * is given - we set the origin to true, and this reflects the url as stated in the docs: GitHub - expressjs/cors: Node.js CORS middleware
origin: Configures the Access-Control-Allow-Origin CORS header. Possible values:
Boolean- setorigintotrueto reflect the request origin, as defined byreq.header('Origin'), or set it tofalseto disable CORS.
So just try it 
The * never worked properly, and it's a fairly simple ask to set the port to something other than 0 as the default, as you do for node projects being set to 3000 or give us the option to define it and not have it wiped out on upgrades.
True, this was reported on more than one topic:
Don't know if this is the exact case, but asked chatgpt because remember having a lot of troubles: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'
Using a wildcard (
*) for theAccess-Control-Allow-Originheader in your CORS configuration indeed prevents cookies from being included in cross-origin requests. This is because theAccess-Control-Allow-Originheader must specify the exact origin when dealing with credentials (cookies, HTTP authentication, client-side SSL certificates).
When you setAccess-Control-Allow-Originto*, it indicates that any origin can access the resource. However, for security reasons, browsers block credentials from being sent if the CORS policy is too permissive. Specifically, the combination ofAccess-Control-Allow-Origin: *andAccess-Control-Allow-Credentials: trueis not allowed because it poses a security risk by potentially exposing sensitive data to unauthorized origins.
Sorry but don't really understand how this is different 
It's something new and I should expect a different behavior than the last year?
Will do more test about it, query is working, not sure about login and storing cookies..
But instead of asking ChatGPT for general explanation which is not true in this case, did you try using * yourself?
I've recently finished a project storing cookies with capacitor, and, for my surprise, everything is working, closed the app, and the user is still logged in.
Don't really understand, I was 100% sure that * wasn't allowed when storing cookies, remember having a lot of issues and that is why I said:
A little confused right now, something has changed? Sorry for all this stuff..
Don't know if @kfawcett can share his experience..
I think we adjusted the * behavior to be equal on all platforms after the initial reports. So it should work now all fine
Thanks @George, you guys are the best
This request was more than just the CORS setting. It was to allow for a static port on mobile projects that doesn't change when switching between projects. A lot of the time, you develop a mobile and server project together. The mobile project is opened on one tab (e.g. https://localhost:59540); you then switch to the server project to make an update to the database or an API and switch back to the mobile project to test it in the browser only to realize that Wappler restarted the mobile project on another port.
It could be a really easy fix for the Wappler team, and I'm surprised we're still conversing about it.
Bumping, this is driving me crazy! Why'o'why is the port random?
Wondering if I'm going to experience all 65535 ports by the time this Project is completed...?
Hopefully you saw the workaround. 
Cheers Keith, I did read your work-around but am confused as to why the random port generation?
I don't own an Android device so am at the mercy of emulation and the browser so this is like stabbing my balloon knot with a cactus every time I want to test something...
