# Global CORS configuration
<IfModule mod_headers.c>
# Allow specific origin
Header set Access-Control-Allow-Origin "https://app.example.com"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
# Handle preflight requests
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=204,L]
</IfModule>
# Dynamic CORS based on origin
<IfModule mod_headers.c>
SetEnvIf Origin "^https://(app|dashboard|api)\.example\.com$" ORIGIN_SUB_DOMAIN=$0
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN_SUB_DOMAIN
</IfModule>
# Directory-specific CORS
<Directory "/var/www/api">
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST"
Header set Access-Control-Allow-Headers "Content-Type"
</Directory>