0

I built a php API with the following header:

header("Access-Control-Allow-Origin: https://my-domain.de");

With that, I can access the api only from https://my-domain.de but not from https://www.my-domain.de

I get:

Origin https://www.my-domain.de is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load https://my-domain.de/checkin/api/generateUser.php due to access control checks.

How can I make this working for both: www and without www?

Nick Rick
  • 75
  • 6
  • Why is your site itself available under two different host names to begin with? The usual approach would be to fix _that_, and have one version redirect to the other. – CBroe May 05 '21 at 08:57
  • 1
    Does this answer your question? [Access-Control-Allow-Origin issue with and without www in url](https://stackoverflow.com/questions/9370787/access-control-allow-origin-issue-with-and-without-www-in-url) – Shayan Moghadam May 05 '21 at 13:03

1 Answers1

0

You can just add another line:

header("Access-Control-Allow-Origin: https://my-domain.de");
header("Access-Control-Allow-Origin: https://www.my-domain.de");

PHP doesn't support wildcard headers, you either support all domains:

header("Access-Control-Allow-Origin: *");

Or specific as above

Timberman
  • 647
  • 8
  • 24
  • CORS is new to me so I don't know what's the most secure practice. My app is open to everybody and I don't want someone to use my api or run requests outside the app. – Nick Rick May 05 '21 at 08:46
  • You should use a api key anyways, to make sure its properly protected – Timberman May 05 '21 at 09:17