How to fix "The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed."?

Question

Google Chrome is complaining with AJAX-Requests to another service regarding missing CORS setup as I would expect in this state without CORS relevant headers:

curl -sD - -o /dev/null https://api.example.xom/service

Headers of the response:

HTTP/2 200
date: Sun, 26 Jan 2020 14:26:25 GMT
server: Apache
cache-control: no-cache, private
vary: Accept-Encoding,User-Agent
content-type: text/html; charset=UTF-8

Google Chrome states:

... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Then we add the following header to our Apache config within .htaccess:

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>

Checking sent headers work properly as expected:

Headers of the response:

HTTP/2 200
date: Sun, 26 Jan 2020 14:26:25 GMT
server: Apache
cache-control: no-cache, private
vary: Accept-Encoding,User-Agent
access-control-allow-origin: *
content-type: text/html; charset=UTF-8

But now Google Chrome complains that the Origin was sent twice:

 The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

How to fix that? How to make Google Chrome accept the origin header only once?

Answer 1

In my case I used the following snippet, which works as intended:

<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin: "*"
    Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
</IfModule>