In my Node/Express app, I am specifically removing any existing Allow-Origin header, and setting it to a specific domain. It works locally, but on the server, it keeps saying that the response header contains multiple values. This is the only place I set these headers in the entire codebase. Any thoughts on where else could be setting this?

'Access-Control-Allow-Origin' header contains multiple values 'https://*.mypany, *', but only one is allowed.

app.use(function(req, res, next){
    res.removeHeader('Access-Control-Allow-Origin');
    res.header('Access-Control-Allow-Origin', 'https://*.mypany'); 
    res.header('Access-Control-Allow-Headers', '*');
    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,PATCH,OPTIONS');
    res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
    if(req.method==='OPTIONS'){
        res.sendStatus(200);
    }
    next()
});

In my Node/Express app, I am specifically removing any existing Allow-Origin header, and setting it to a specific domain. It works locally, but on the server, it keeps saying that the response header contains multiple values. This is the only place I set these headers in the entire codebase. Any thoughts on where else could be setting this?

'Access-Control-Allow-Origin' header contains multiple values 'https://*.mypany, *', but only one is allowed.

app.use(function(req, res, next){
    res.removeHeader('Access-Control-Allow-Origin');
    res.header('Access-Control-Allow-Origin', 'https://*.mypany.'); 
    res.header('Access-Control-Allow-Headers', '*');
    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,PATCH,OPTIONS');
    res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
    if(req.method==='OPTIONS'){
        res.sendStatus(200);
    }
    next()
});

• javascript
• node.js
• express
• cors

Share Improve this question Follow asked Jun 11, 2020 at 19:10 DShultzDShultz 4,54155 gold badges3636 silver badges5555 bronze badges 6

• What do you mean "existing Allow-Origin header"? What other part of your server is adding that? – jonrsharpe Commented Jun 11, 2020 at 19:12
• I'm referring to the first line in the app.use function, I remove the 'Access--Control-Allow-Origin' header – DShultz Commented Jun 11, 2020 at 19:15
• Yes, I can see that, but where do you think it's ing from to start with? – jonrsharpe Commented Jun 11, 2020 at 19:16
• 2 there is probably a reverse proxy in front of your server, and for convenience they are just setting cors headers on everything – user120242 Commented Jun 11, 2020 at 19:20
• Thanks for the idea - the issue was in the nginx config on the server being deployed to had the line: add_header 'Access-Control-Allow-Origin' '*' always; ...Though I'm surprised our removeHeader() statement didn't remove it. – DShultz Commented Jun 11, 2020 at 19:43

 |  Show 1 more ment

1 Answer 1

Sorted by: Reset to default 4

See if this explains it for you: https://developer.mozilla/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed. The problem is a browser will only accept one domain in an Access-Control-Allow-Origin header and you have a wildcard. The solution is to read the Origin header and echo that to Access-Control-Allow-Origin header on the response if it's an Origin you want to allow.