Blog

Duplicate Access-Control-* headers: why browsers reject ambiguous CORS responses

Multiple values for singleton CORS headers create ambiguity; RFCs expect a single effective policy line.

Published: 2025-06-22Updated: 2025-06-161 min read

corsdebugginghttp

How browsers evaluate

Some browsers pick the first header; others fail the request—never rely on undefined ordering behavior.

Normalize at one layer and strip duplicates at the edge after integration tests.

curl -I with verbose mode shows repeated headers; compare against what DevTools displays.

Add temporary logging middleware in lower environments to print outgoing header lists per route.