Allowing cross origin requests for http and https
Have you tried using HTTPS
variable?
It will be set to "on"
for all https requests.
Your .htaccess should look like this
Header set Access-Control-Allow-Origin: http://example.com #default
Header set Access-Control-Allow-Origin: https://example.com env=HTTPS #override if https
Admin
Updated on July 26, 2022Comments
-
Admin almost 2 years
My website supports both http and https protocols. However using the code below in .htaccess file, I can only set one domain to allow CORS requests:
Header set Access-Control-Allow-Origin: http://example.com
I want to allow CORS for both http and https versions of my site (not just "*") and tried the solutions here: Access-Control-Allow-Origin Multiple Origin Domains?
But the problem is that all solutions rely on
Origin
header in the request which may not exist and also is not secure. (anyone can put a origin header in their request)I want to know if the request has been served over https and use this info to set the proper CORS header. Something like this:
SetEnvIf servedOverHttps httpsOrigin=true Header set Access-Control-Allow-Origin: https://example.me env=httpsOrigin SetEnvIf notServedOverHttps httpOrigin=true Header set Access-Control-Allow-Origin: http://example.me env=httpOrigin
How can I find out that it's a https request?