I have a set of proxies being consumed by multiple sites. I have added CORS policy to send below headers to fix CORS issue.

<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">*</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>

I read that CORS helps to add security and is not a recommended to allow all origins since the proxy can be accessed by any website. I tried to give comma separated values (<Header name="Access-Control-Allow-Origin">https://www.site1.com,https://www.site2.com</Header>) inside the allowed origins. However, browser gives error saying that header contains multiple values.

Is there any inbuilt way to configure in Apigee to allow multiple valid origins so that Apigee will send only the valid origin according to the incoming request ?

This kind of options are available in other frameworks where we can configure all the allowed origins and the server will response with appropriate headers. I was thinking of doing a JS callout to check the value of origin against a comma separated list stored in KVM. Please let me know if there is any easier way to solve this. @dchiesa1 @API-Evangelist