Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Does anyone know if I can strip headers from a service I am proxying with cors? I am using a piece of proprietary software and they have bugs in their own cors implementation, so I am trying to use oathkeeper's instead. But now I have an error due to a double value: :point_down:

```The 'Access-Control-Allow-Origin' header contains multiple values '<https://ui.domain>, <https://domain>', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.```

Hey, I’m facing it too. Were you able to resolve this?

<@U045YMYGMHN> and I as well. Did you find anything <@U03S44TEEJZ>?

The server I proxy had its own cors middleware, disabled it and it worked

Sweet <@U03PPHZL3MK>. What option did you use for that

Great. Thank you, I think our issue must be related. I’ll reply here once we resolve it

The middlewares are in settings/ somewhere

We’re having this issue setting up a custom UI for cloud Kratos. So, in debug mode, we see that the ory proxy itself is adding a CORS header for localhost, and there must be a * header being set somewhere else in the chain, we’re just not sure where

<@U03293S758B>, I was able to solve this issue,  my server was spitting extra headers and oathkeeper was appending the similar headers instead of overwriting them.

For any future readers, we have been unable to resolve this coming from Ory Cloud Kratos to a Vue front end with the ory proxy.