Skip to content

Instantly share code, notes, and snippets.

@brianlmoon
Last active November 19, 2023 03:14
Show Gist options
  • Save brianlmoon/2291111c5c69252c85f4 to your computer and use it in GitHub Desktop.
Save brianlmoon/2291111c5c69252c85f4 to your computer and use it in GitHub Desktop.
CORS example for Apache with multiple domains
# Sets CORS headers for request from example1.com and example2.com pages
# for both SSL and non-SSL
SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
# Always set Vary: Origin when it's possible you may send CORS headers
Header merge Vary Origin
@teknopaul
Copy link

teknopaul commented Jan 27, 2017

I had to add "always" to the Header set

Header always set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN

This then sets the header, It ought to replace the header but this doe not work for me so I get multiple headers which is not permitted.

String struggling with CORS in Apache, someone needs to write the definitive mod_cors.

@blazejkrzak
Copy link

This was what i was looking for!
Since firefox quantum (or maybe earlier) origins set on "*" does not work for xhr -> withCredentials. Your solution is what i needed. Works with header alwats set as @teknopaul suggested.

@fourmi-integree
Copy link

very good / tx

question !
what is the fucntion of the "e" => ...%{ORIGIN}e... , a flag ?

@ericcgu
Copy link

ericcgu commented May 24, 2019

  1. Load Modules
LoadModule headers_module modules/mod_headers.so
LoadModule rewrite_module modules/mod_rewrite.so
  1. Change Folder in Bold to your target directory serving the endpoint:
<Directory "**/usr/local/apache2**">
    AllowOverride None
    Require all granted

    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
    Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
    Header always set Access-Control-Max-Age "600"

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]

</Directory>

@skhalid555
Copy link

Current config
<location /test>
SetEnvIf Origin ".*$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

In New config, if i add always, Is this enough to allow all domain?
<location /test>
SetEnvIf Origin ".*$" AccessControlAllowOrigin=$0
Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

Could somebody advice.

Thank you

@lukydvorak
Copy link

lukydvorak commented Jun 15, 2022

Hi guys,
this thread was really helpful,

The solution below works. The server is returning correct Access-Control-Allow-Origin header but status code of Preflight (OPTIONS method, before POST) request is still 403 (chrome)

Is there any solution for 403?

SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
Header merge Vary Origin

@brianlmoon
Copy link
Author

Hi,

I have not used Apache in years now. I would Google for "apache options cors". I switched to Nginx. I had to do some things in Nginx for OPTIONS headers so I am guessing Apache is the same. I am sure there is a solution. And if you find the solution, feel free to respond here with it.

Hi guys, this thread was really helpful,

The solution below works. The server is returning correct Access-Control-Allow-Origin header but status code of Preflight (OPTIONS method, before POST) request is still 403 (chrome)

Is there any solution for 403?

SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
Header merge Vary Origin

@prhasn
Copy link

prhasn commented Sep 22, 2022

Header always set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN

Thank you. This did it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment