The 'Access-Control-Allow-Origin' header contains multiple values '*, *'

Hi there,

I am using caddy:2.4.2-alpine docker image and I wanna enable CORS for one of my domains but I get an error from a browser that is said The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

route /graphql {

    # CORS headers
    header Access-Control-Allow-Origin "*"
    header Access-Control-Allow-Methods "GET, POST, OPTIONS"
    header Access-Control-Allow-Credentials true

    reverse_proxy http://gateway.default.svc.cluster.local


With CURL it works the problem is just in browser

Your upstream app is sending that header. Make sure it’s properly configured to send CORS values that make sense.

Thanks for the reply!

My upstream server sent back access-control-allow-origin:*.

Is there any way that I can override the upstream header with caddy?

Then if your upstream is already sending that header, there should be no need to set the header in Caddy. Try removing that line of config.

I found that is not caddy issue, I used this plugin and when the rate limit happen it throw CROS issue,

This topic was automatically closed after 29 days. New replies are no longer allowed.