Cloudflare is caching my Allow Origin Cors headers

I have an issue with my REST API built in WordPress.

Say I clear all caches, to ensure the responses are fresh. I make a CURL request to my API like so:

curl -I -H “Origin: https://domain1.comhttps://my-api.com/wp-json/some-endpoint

I get back headers:
access-control-allow-origin: https://domain1.com
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-credentials: true
vary: Origin,User-Agent

Which are the correct headers. However, if I make a new request using a different origin domain2.com, like so:
curl -I -H “Origin: https://domain2.comhttps://my-api.com/wp-json/some-endpoint

I still get back same headers from before, with domain1.com as the allow-origin, and then the browser will fail:

access-control-allow-origin: https://domain1.com <!----- wrong. should be domain2.com
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-credentials: true
vary: Origin,User-Agent

If I clear the caches and try again, then it works fine, having domain2.com as the allow-origin.

The API resides at: https://thejewelleryroom.com/wp-json/jwr/v1/products/slug?slug=solv-australien&lang=en

This topic was automatically closed after 14 days. New replies are no longer allowed.