Access-Control-Allow-Origin "*"

Good day
I can’t get CORS redirects to work.
Can you help me, please.
Can you tell me in which files I should modify or add what, what lines I should modify or add for this to work.
has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
The system is developed with PHP, CSS, JS and JSON.

On another server without Hestia I was able to get it working, but I need to get it working with Hestia, I have modified apache.conf, nginx.conf, and and I can’t get it to work.

On my computer with Debian 12, it also works.

Hi @ClaudioSpcSpa,

In the example I’ll use claudio as Hestia user , as your domain and Access-Control-Allow-Origin: * as the header you want to add.

For Nginx:

cd /home/claudio/conf/web/
echo 'add_header Access-Control-Allow-Origin "*";' >> nginx.conf_headers
ln -s nginx.conf_headers nginx.ssl.conf_headers
systemctl reload nginx

For Apache2:

First check if module headers is enabled.

apache2ctl -M 2>/dev/null | grep headers || echo "You must enable module headers"

If you see the message You must enable module headers then do it… :wink:

a2enmod headers
systemctl restart apache2

Now add the header to .htaccess file:

cd /home/claudio/conf/web/
echo '<IfModule mod_headers.c>' >> .htaccess
echo '    Header set Access-Control-Allow-Origin "*"' >> .htaccess
echo '</IfModule>' >> .htaccess

Test again.

Internal Server Error

Oops! Something went wrong.

The server encountered an internal error or misconfiguration and was unable to complete your request.

Error Code: 500

If you don’t show the error in log I can’t help.

First of all thank you
I already solved this error:
[Mon Apr 15 11:33:46.525537 2024] [core:alert] [pid 3013:tid 139891312654080] [client] /home/syscon32/web/ w$.

Now it gives this error:
[Mon Apr 15 11:42:30.030564 2024] [proxy_fcgi:error] [pid 5725:tid 139735225829120] [client] AH01071: Got error ‘PHP message: PHP Notice: Undefined variable: _SESSION in /home/ syscon32/web/ on line 7’, referer: Error !!!

Also solved, I deleted $_SESSION from line 7 of footerAdmin.php.

In, no more errors appear, but I still get the console message:

Access to XMLHttpRequest at ‘’ from origin ‘’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

    Failed to load resource: net::ERR_FAILED

Did you execute exactly the commands I gave you?

I know nothing about your application but maybe you should do the request to instead of to avoid the redirection (it doesn’t provide the header) but is providing the right header:

❯ curl -I
HTTP/2 200 
server: nginx
date: Mon, 15 Apr 2024 16:19:01 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: PHPSESSID=5kav5ub4cil9ott0ecj0qcqqde; path=/
access-control-allow-origin: *
strict-transport-security: max-age=31536000;

Oh, okay,
I use a constant
const base_url = “”;
And it stayed like that.

Run the App again.

This now appears in the console:
Uncaught SyntaxError: Unexpected token ‘A’, "Array
"…is not valid JSON
at JSON.parse ()
at http.onreadystatechange (login.js:22:26)

19 http.onreadystatechange = function () {
20 if (this.readyState == 4 && this.status == 200) {
21 // console.log(this.responseText);
22 const res = JSON.parse(this.responseText);
23 if (res == “ok”) {
window.location = base_url + “/Administration/home/”;
} else {
document.getElementById(“alert”).innerHTML = res;

I can’t help you with your code.

Thank you, thank you very much anyway, I think you may have helped me in some way.

1 Like