How to allow origin header for multiple sites?

Actually, I’m not familiar with .yaml extension.
I tried to add the config as below

allowedOrigins: -

But it’s showing the error like this

The 'Access-Control-Allow-Origin' header contains the invalid value 'Array'.

1 Like

That will not work, you can specify in the configuration only one entry. If you check the index.php:

    $_cors = $cockpit->retrieve('config/cors', []);

    header('Access-Control-Allow-Origin: '      .($_cors['allowedOrigins'] ?? '*'));

so unless @artur accept a change for that (and not sure if that make sense), you may need to deal with it in the webserver, check for a solution here:

please consider using config.php instead of config.yaml:


return [

  'cors' => [

    'allowedOrigins' => in_array($_SERVER['HTTP_ORIGIN'], ['', '']) 
                        ? $_SERVER['HTTP_ORIGIN'] : ''


if you use the php based configuration, then you’re more flexible (eg using env variables for dynamic config)

1 Like

Thanks @pauloamgomes and @artur I comment off the Access-Control-Allow-Origin and Access-Control-Allow-Methods lines in index.php and add in .htaccess as below.

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(|$" AccessControlAllowOrigin=$0
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"

It’s working now. Thanks