CMXX - Dealers

api.php

@@ -21,15 +21,37 @@ include './settings/config_redirector.php';
 //------------------------------------------   
 if (header_security){
   
+    // Array of allowed domain patterns (without the protocol part)
+    $allowedDomainPatterns = [
+        'vanbeers.tv',     
+        'soveliti.nl',
+        'veliti.nl',
+        'gewoonlekkerspaans.nl'
+    ];
+
+    // Get the origin from the request headers
+    $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
+
+    // Set CORS headers if origin is allowed
+    if (isOriginAllowed($origin, $allowedDomainPatterns)) {
+        header("Access-Control-Allow-Origin: $origin");
+        header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
+        header("Access-Control-Allow-Headers: Authorization, Content-Type");
+        //header("Access-Control-Allow-Credentials: true"); // Include if needed
+    }
+
+    // Handle preflight requests
+    if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+        // Return early with 204 No Content for preflight requests
+        http_response_code(204);
+        exit;
+    }
     // Strict security headers
     header('Content-Type: application/json');
     header('X-Content-Type-Options: nosniff');
     header('X-Frame-Options: DENY');
     header('X-XSS-Protection: 1; mode=block');
     header('Content-Security-Policy: default-src \'none\'');
-    header('Access-Control-Allow-Origin: ' . $_ENV['ALLOWED_ORIGIN']);
-    header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
-    header('Access-Control-Allow-Headers: Content-Type, Accept, Authorization');
     header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
     header('Referrer-Policy: strict-origin-when-cross-origin');