apache server allow-access-control-origin from two and only two origins

Question

I am looking for a way to configure my apache server allow cross origin access from two different origins. I would like to avoid the wildcard header "*".

I've tried adding space separate response (the chatGPT "solution"):

Header set Access-Control-Allow-Origin "https://origin1.com https://origin2.com"

comma separated (another chat GPT solution)

Header set Access-Control-Allow-Origin "https://origin1.com, https://origin2.com"

and adding both:

Header add Access-Control-Allow-Origin "https://origin1.com"
Header add Access-Control-Allow-Origin "https://origin2.com"

All three options give me a CORS error as multiple values in or duplicated Access-Control-Allow-Origin headers aren't allowed by CORS.

The wildcard solution "*" works (no CORS error) but I would like to avoid it.

What's the correct way to configure an apache server to allow cross origin requests from two different origins and only to those two different origins?

The only allowed value for the `Access-Control-Allow-Origin` header is the wildcard (e.g. `*`) or a _single_ serialised Web origin (e.g. `https://example.com`). Moreover, CORS responses should contain at most one such header, or things won't work. However, you can configure Apache to conditionally set some response headers. — jub0bs, Apr 21 '23 at 08:45

apache server allow-access-control-origin from two and only two origins

0 Answers0