Skip to content

Instantly share code, notes, and snippets.

@brianlmoon

brianlmoon/apache_cors_example

Last active April 22, 2025 09:41
Show Gist options
  • Save brianlmoon/2291111c5c69252c85f4 to your computer and use it in GitHub Desktop.
Save brianlmoon/2291111c5c69252c85f4 to your computer and use it in GitHub Desktop.
Download ZIP
CORS example for Apache with multiple domains
Raw
apache_cors_example
# Sets CORS headers for request from example1.com and example2.com pages
# for both SSL and non-SSL
SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
# Always set Vary: Origin when it's possible you may send CORS headers
Header merge Vary Origin
@brianlmoon
Copy link
Author

Hi,

I have not used Apache in years now. I would Google for "apache options cors". I switched to Nginx. I had to do some things in Nginx for OPTIONS headers so I am guessing Apache is the same. I am sure there is a solution. And if you find the solution, feel free to respond here with it.

Hi guys, this thread was really helpful,

The solution below works. The server is returning correct Access-Control-Allow-Origin header but status code of Preflight (OPTIONS method, before POST) request is still 403 (chrome)

Is there any solution for 403?

SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
Header merge Vary Origin

@prhasn
Copy link

prhasn commented Sep 22, 2022

Header always set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN

Thank you. This did it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment