Strip upstream CORS

nginx.conf

@@ -32,7 +32,14 @@ http {
             proxy_set_header Host $proxy_host;
             proxy_ssl_server_name on;
 
-            # CORS headers
+            # Strip upstream CORS so we only send our own (duplicate = browser reject)
+            proxy_hide_header Access-Control-Allow-Origin;
+            proxy_hide_header Access-Control-Allow-Methods;
+            proxy_hide_header Access-Control-Allow-Headers;
+            proxy_hide_header Access-Control-Expose-Headers;
+            proxy_hide_header Access-Control-Max-Age;
+
+            # CORS headers — replace with our own *
             add_header Access-Control-Allow-Origin * always;
             add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH" always;
             add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Cache,X-NoCache,X-Status" always;
@@ -45,6 +52,7 @@ http {
 
             proxy_cache api_cache;
             proxy_cache_valid 200 201 202 203 204 205 206 207 208 226 365d;
+            proxy_ignore_headers Cache-Control Expires;
 
             proxy_cache_bypass $http_x_nocache;
             proxy_no_cache $http_x_nocache;