My site supports HTTP and HTTPS. However, using the code below in the .htaccess file, I can only set one domain to allow CORS requests:
Header set Access-Control-Allow-Origin: http://example.com
I want to enable CORS for the http and https versions of my site (and not just for the "*") and try the solutions here: Access-Control-Allow-Origin Multiple origin domains?
But the problem is that all solutions rely on the Origin header in the request, which may not exist and is not safe either. (anyone can put the source header in their request)
I want to know if the request was processed by https and use this information to set the correct CORS header. Something like that:
SetEnvIf servedOverHttps httpsOrigin=true Header set Access-Control-Allow-Origin: https://example.me env=httpsOrigin SetEnvIf notServedOverHttps httpOrigin=true Header set Access-Control-Allow-Origin: http://example.me env=httpOrigin
How can I find out that this is an https request?
Leoa
source share