9

My website supports both http and https protocols. However using the code below in .htaccess file, I can only set one domain to allow CORS requests:

Header set Access-Control-Allow-Origin: http://example.com

I want to allow CORS for both http and https versions of my site (not just "*") and tried the solutions here: Access-Control-Allow-Origin Multiple Origin Domains?

But the problem is that all solutions rely on Origin header in the request which may not exist and also is not secure. (anyone can put a origin header in their request)

I want to know if the request has been served over https and use this info to set the proper CORS header. Something like this:

SetEnvIf servedOverHttps httpsOrigin=true
Header set Access-Control-Allow-Origin: https://example.me env=httpsOrigin

SetEnvIf notServedOverHttps httpOrigin=true
Header set Access-Control-Allow-Origin: http://example.me env=httpOrigin

How can I find out that it's a https request?

Community
  • 1
  • 1
LeoA
  • 93
  • 1
  • 1
  • 4

1 Answers1

4

Have you tried using HTTPS variable?

It will be set to "on" for all https requests. Your .htaccess should look like this

Header set Access-Control-Allow-Origin: http://example.com             #default
Header set Access-Control-Allow-Origin: https://example.com env=HTTPS   #override if https
Josh Crozier
  • 202,159
  • 50
  • 343
  • 273
advncd
  • 3,049
  • 1
  • 22
  • 25