ConfigClarityFix GuidesProxy Fix Guides › Duplicate CORS Headers

Fix: Duplicate CORS Headers from Nginx and Application

Duplicate CORS headers cause browser errors like The 'Access-Control-Allow-Origin' header contains multiple values 'https://app.com, https://app.com'. This happens when both Nginx and your backend application set the same CORS headers independently.

Why This Happens

Your Express/Django/FastAPI application returns Access-Control-Allow-Origin: https://app.com. Your Nginx config also adds add_header Access-Control-Allow-Origin https://app.com. Both headers are sent. Browsers reject multiple values for this header.

Option 1: Remove CORS headers from Nginx (recommended)

If your application already handles CORS correctly, remove the duplicate headers from Nginx:

Remove these lines from your Nginx location block
# Delete or comment out:
# add_header Access-Control-Allow-Origin $http_origin;
# add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
# add_header Access-Control-Allow-Headers "Authorization, Content-Type";

Option 2: Remove CORS from your app, handle in Nginx

Centralise CORS handling at the Nginx layer if you have multiple services that need the same policy:

Nginx CORS block — handles all CORS including preflight
location / {
    # Handle OPTIONS preflight
    if ($request_method = OPTIONS) {
        add_header Access-Control-Allow-Origin $http_origin always;
        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
        add_header Access-Control-Max-Age 3600 always;
        return 204;
    }

    add_header Access-Control-Allow-Origin $http_origin always;
    proxy_pass http://127.0.0.1:3000;
}

Then disable CORS handling in your application entirely — let Nginx own it.

Paste your nginx.conf to detect CORS header duplication and missing always flags.

Open Reverse Proxy Mapper →

Frequently Asked Questions

Why do CORS headers get duplicated in Nginx?
Nginx's add_header directive adds headers to the response, but does not remove existing headers set by the upstream application. If both Nginx and the application set Access-Control-Allow-Origin, both values appear in the response. Browsers reject multiple values for this header.
How do I check if I have duplicate CORS headers?
Run: curl -sI -H 'Origin: https://yourapp.com' https://yourdomain.com/api/endpoint | grep -i access-control. If you see the same header twice, you have the duplication problem.
Does always in add_header matter for CORS?
Yes. Without always, Nginx only adds headers to 2xx and 3xx responses. CORS headers need to be present on 4xx and 5xx responses too, otherwise browser error handling breaks. Always use add_header ... always for CORS headers.

Related Glossary Terms