Strip upstream CORS

2026-01-27 12:49:58 +01:00
parent c120d7a164
commit 9d48ce54c1
1 changed files with 8 additions and 1 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -32,7 +32,14 @@ http {
            proxy_set_header Host $proxy_host;
            proxy_ssl_server_name on;

-            # CORS headers
+            # Strip upstream CORS so we only send our own (duplicate = browser reject)
+            proxy_hide_header Access-Control-Allow-Origin;
+            proxy_hide_header Access-Control-Allow-Methods;
+            proxy_hide_header Access-Control-Allow-Headers;
+            proxy_hide_header Access-Control-Expose-Headers;
+            proxy_hide_header Access-Control-Max-Age;
+
+            # CORS headers — replace with our own *
            add_header Access-Control-Allow-Origin * always;
            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH" always;
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Cache,X-NoCache,X-Status" always;