The ‘Access-Control-Allow-Origin’ header contains multiple values ‘API_URL, *’, but only one is allowed.

Febrilian
1 min readJun 28, 2023

Earlier today I got an error while configuring a new Linux server with NGINX and Go-based REST server.

`Access to fetch at ‘https://{API_URL}/blog?limit=1' from origin ‘API_URL' has been blocked by CORS policy: The ‘Access-Control-Allow-Origin’ header contains multiple values ‘API_URL, *’, but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.`

Turns out you cannot set multiple cors headers in your stack, eg: nginx and go. Only one of them can do the job or there will be multiple values in the header.

That is because I tried to configure `add_header Access-Control-Allow-Origin *;` in NGINX while having my Go app adds that header too. So either have theAccess-Control-Allow-Origin config in NGINX or Go. I removed the `add_header` line in my nginx configuration, then it’s solved.

--

--