Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed


Reason: Multiple CORS header ‘Access-Control-Allow-Origin’ not allowed

What went wrong?

More than one Access-Control-Allow-Origin header was sent by the server. This isn't allowed.

Fortunately, as long as you have access to the server's configuration, fixing this is easy. The Access-Control-Allow-Origin header supports multiple origins, separated by commas, like this:


This would allow CORS requests from Mozilla, Google, Microsoft, and Apple's domains.

All you need to do is combine multiple Access-Control-Allow-Origin headers into a single one, with commas separating the origins gathered from each copy of the header.

See also

Document Tags and Contributors

Contributors to this page: Sheppy
Last updated by: Sheppy,