extend multiple origin support to every HTTP-based service

2025-12-20 02:00:05 -08:00 · 2025-11-20 20:55:45 +01:00 · 2025-11-20 20:55:45 +01:00 · d24dacd21f
commit d24dacd21f
parent 33688df805
15 changed files with 125 additions and 63 deletions
--- a/internal/conf/conf.go
+++ b/internal/conf/conf.go
@ -183,7 +183,7 @@ type Conf struct {
 	APIServerKey      string     `json:"apiServerKey"`
 	APIServerCert     string     `json:"apiServerCert"`
 	APIAllowOrigin    *string    `json:"apiAllowOrigin,omitempty"` // deprecated
-	APIAllowOrigins   []string   `json:"apiAllowOrigins"`
+	APIAllowOrigins   []string   `json:"apiAllowOrigins"`          // TODO: move in alias
 	APITrustedProxies IPNetworks `json:"apiTrustedProxies"`

 	// Metrics
@ -192,7 +192,8 @@ type Conf struct {
 	MetricsEncryption     bool       `json:"metricsEncryption"`
 	MetricsServerKey      string     `json:"metricsServerKey"`
 	MetricsServerCert     string     `json:"metricsServerCert"`
-	MetricsAllowOrigin    string     `json:"metricsAllowOrigin"`
+	MetricsAllowOrigin    *string    `json:"metricsAllowOrigin,omitempty"` // deprecated
+	MetricsAllowOrigins   []string   `json:"metricsAllowOrigins"`
 	MetricsTrustedProxies IPNetworks `json:"metricsTrustedProxies"`

 	// PPROF
@ -201,7 +202,8 @@ type Conf struct {
 	PPROFEncryption     bool       `json:"pprofEncryption"`
 	PPROFServerKey      string     `json:"pprofServerKey"`
 	PPROFServerCert     string     `json:"pprofServerCert"`
-	PPROFAllowOrigin    string     `json:"pprofAllowOrigin"`
+	PPROFAllowOrigin    *string    `json:"pprofAllowOrigin,omitempty"` // deprecated
+	PPROFAllowOrigins   []string   `json:"pprofAllowOrigins"`
 	PPROFTrustedProxies IPNetworks `json:"pprofTrustedProxies"`

 	// Playback
@ -210,7 +212,8 @@ type Conf struct {
 	PlaybackEncryption     bool       `json:"playbackEncryption"`
 	PlaybackServerKey      string     `json:"playbackServerKey"`
 	PlaybackServerCert     string     `json:"playbackServerCert"`
-	PlaybackAllowOrigin    string     `json:"playbackAllowOrigin"`
+	PlaybackAllowOrigin    *string    `json:"playbackAllowOrigin,omitempty"` // deprecated
+	PlaybackAllowOrigins   []string   `json:"playbackAllowOrigins"`
 	PlaybackTrustedProxies IPNetworks `json:"playbackTrustedProxies"`

 	// RTSP server
@ -255,7 +258,8 @@ type Conf struct {
 	HLSEncryption      bool       `json:"hlsEncryption"`
 	HLSServerKey       string     `json:"hlsServerKey"`
 	HLSServerCert      string     `json:"hlsServerCert"`
-	HLSAllowOrigin     string     `json:"hlsAllowOrigin"`
+	HLSAllowOrigin     *string    `json:"hlsAllowOrigin,omitempty"` // deprecated
+	HLSAllowOrigins    []string   `json:"hlsAllowOrigins"`
 	HLSTrustedProxies  IPNetworks `json:"hlsTrustedProxies"`
 	HLSAlwaysRemux     bool       `json:"hlsAlwaysRemux"`
 	HLSVariant         HLSVariant `json:"hlsVariant"`
@ -273,7 +277,8 @@ type Conf struct {
 	WebRTCEncryption            bool             `json:"webrtcEncryption"`
 	WebRTCServerKey             string           `json:"webrtcServerKey"`
 	WebRTCServerCert            string           `json:"webrtcServerCert"`
-	WebRTCAllowOrigin           string           `json:"webrtcAllowOrigin"`
+	WebRTCAllowOrigin           *string          `json:"webrtcAllowOrigin,omitempty"` // deprecated
+	WebRTCAllowOrigins          []string         `json:"webrtcAllowOrigins"`
 	WebRTCTrustedProxies        IPNetworks       `json:"webrtcTrustedProxies"`
 	WebRTCLocalUDPAddress       string           `json:"webrtcLocalUDPAddress"`
 	WebRTCLocalTCPAddress       string           `json:"webrtcLocalTCPAddress"`
@ -347,19 +352,19 @@ func (conf *Conf) setDefaults() {
 	conf.MetricsAddress = ":9998"
 	conf.MetricsServerKey = "server.key"
 	conf.MetricsServerCert = "server.crt"
-	conf.MetricsAllowOrigin = "*"
+	conf.MetricsAllowOrigins = []string{"*"}

 	// PPROF
 	conf.PPROFAddress = ":9999"
 	conf.PPROFServerKey = "server.key"
 	conf.PPROFServerCert = "server.crt"
-	conf.PPROFAllowOrigin = "*"
+	conf.PPROFAllowOrigins = []string{"*"}

 	// Playback server
 	conf.PlaybackAddress = ":9996"
 	conf.PlaybackServerKey = "server.key"
 	conf.PlaybackServerCert = "server.crt"
-	conf.PlaybackAllowOrigin = "*"
+	conf.PlaybackAllowOrigins = []string{"*"}

 	// RTSP server
 	conf.RTSP = true
@ -395,7 +400,7 @@ func (conf *Conf) setDefaults() {
 	conf.HLSAddress = ":8888"
 	conf.HLSServerKey = "server.key"
 	conf.HLSServerCert = "server.crt"
-	conf.HLSAllowOrigin = "*"
+	conf.HLSAllowOrigins = []string{"*"}
 	conf.HLSVariant = HLSVariant(gohlslib.MuxerVariantLowLatency)
 	conf.HLSSegmentCount = 7
 	conf.HLSSegmentDuration = 1 * Duration(time.Second)
@ -408,7 +413,7 @@ func (conf *Conf) setDefaults() {
 	conf.WebRTCAddress = ":8889"
 	conf.WebRTCServerKey = "server.key"
 	conf.WebRTCServerCert = "server.crt"
-	conf.WebRTCAllowOrigin = "*"
+	conf.WebRTCAllowOrigins = []string{"*"}
 	conf.WebRTCLocalUDPAddress = ":8189"
 	conf.WebRTCIPsFromInterfaces = true
 	conf.WebRTCIPsFromInterfacesList = []string{}
@ -523,16 +528,20 @@ func (conf *Conf) Validate(l logger.Writer) error {
 	if conf.ReadTimeout <= 0 {
 		return fmt.Errorf("'readTimeout' must be greater than zero")
 	}
+
 	if conf.WriteTimeout <= 0 {
 		return fmt.Errorf("'writeTimeout' must be greater than zero")
 	}
+
 	if conf.ReadBufferCount != nil {
 		l.Log(logger.Warn, "parameter 'readBufferCount' is deprecated and has been replaced with 'writeQueueSize'")
 		conf.WriteQueueSize = *conf.ReadBufferCount
 	}
+
 	if (conf.WriteQueueSize & (conf.WriteQueueSize - 1)) != 0 {
 		return fmt.Errorf("'writeQueueSize' must be a power of two")
 	}
+
 	if conf.UDPMaxPayloadSize > 1472 {
 		return fmt.Errorf("'udpMaxPayloadSize' must be less than 1472")
 	}
@ -545,16 +554,19 @@ func (conf *Conf) Validate(l logger.Writer) error {
 		conf.AuthMethod = AuthMethodHTTP
 		conf.AuthHTTPAddress = *conf.ExternalAuthenticationURL
 	}
+
 	if conf.AuthHTTPAddress != "" &&
 		!strings.HasPrefix(conf.AuthHTTPAddress, "http://") &&
 		!strings.HasPrefix(conf.AuthHTTPAddress, "https://") {
 		return fmt.Errorf("'externalAuthenticationURL' must be a HTTP URL")
 	}
+
 	if conf.AuthJWTJWKS != "" &&
 		!strings.HasPrefix(conf.AuthJWTJWKS, "http://") &&
 		!strings.HasPrefix(conf.AuthJWTJWKS, "https://") {
 		return fmt.Errorf("'authJWTJWKS' must be a HTTP URL")
 	}
+
 	deprecatedCredentialsMode := false
 	if anyPathHasDeprecatedCredentials(conf.PathDefaults, conf.OptionalPaths) {
 		l.Log(logger.Warn, "you are using one or more authentication-related deprecated parameters "+
@ -593,6 +605,7 @@ func (conf *Conf) Validate(l logger.Writer) error {
 		}
 		deprecatedCredentialsMode = true
 	}
+
 	switch conf.AuthMethod {
 	case AuthMethodHTTP:
 		if conf.AuthHTTPAddress == "" {
@ -615,24 +628,49 @@ func (conf *Conf) Validate(l logger.Writer) error {
 		conf.APIAllowOrigins = []string{*conf.APIAllowOrigin}
 	}

-	// RTSP
+	// Metrics
+
+	if conf.MetricsAllowOrigin != nil {
+		l.Log(logger.Warn, "parameter 'metricsAllowOrigin' is deprecated and has been replaced with 'metricsAllowOrigins'")
+		conf.MetricsAllowOrigins = []string{*conf.MetricsAllowOrigin}
+	}
+
+	// PPROF
+
+	if conf.PPROFAllowOrigin != nil {
+		l.Log(logger.Warn, "parameter 'pprofAllowOrigin' is deprecated and has been replaced with 'pprofAllowOrigins'")
+		conf.PPROFAllowOrigins = []string{*conf.PPROFAllowOrigin}
+	}
+
+	// Playback
+
+	if conf.PlaybackAllowOrigin != nil {
+		l.Log(logger.Warn, "parameter 'playbackAllowOrigin' is deprecated and has been replaced with 'playbackAllowOrigins'")
+		conf.PlaybackAllowOrigins = []string{*conf.PlaybackAllowOrigin}
+	}
+
+	// RTSP server

 	if conf.RTSPDisable != nil {
 		l.Log(logger.Warn, "parameter 'rtspDisabled' is deprecated and has been replaced with 'rtsp'")
 		conf.RTSP = !*conf.RTSPDisable
 	}
+
 	if conf.Protocols != nil {
 		l.Log(logger.Warn, "parameter 'protocols' is deprecated and has been replaced with 'rtspTransports'")
 		conf.RTSPTransports = *conf.Protocols
 	}
+
 	if conf.Encryption != nil {
 		l.Log(logger.Warn, "parameter 'encryption' is deprecated and has been replaced with 'rtspEncryption'")
 		conf.RTSPEncryption = *conf.Encryption
 	}
+
 	if conf.AuthMethods != nil {
 		l.Log(logger.Warn, "parameter 'authMethods' is deprecated and has been replaced with 'rtspAuthMethods'")
 		conf.RTSPAuthMethods = *conf.AuthMethods
 	}
+
 	if slices.Contains(conf.RTSPAuthMethods, auth.VerifyMethodDigestMD5) {
 		if conf.AuthMethod != AuthMethodInternal {
 			return fmt.Errorf("when RTSP digest is enabled, the only supported auth method is 'internal'")
@ -643,14 +681,17 @@ func (conf *Conf) Validate(l logger.Writer) error {
 			}
 		}
 	}
+
 	if conf.ServerCert != nil {
 		l.Log(logger.Warn, "parameter 'serverCert' is deprecated and has been replaced with 'rtspServerCert'")
 		conf.RTSPServerCert = *conf.ServerCert
 	}
+
 	if conf.ServerKey != nil {
 		l.Log(logger.Warn, "parameter 'serverKey' is deprecated and has been replaced with 'rtspServerKey'")
 		conf.RTSPServerKey = *conf.ServerKey
 	}
+
 	if len(conf.RTSPAuthMethods) == 0 {
 		return fmt.Errorf("at least one 'rtspAuthMethods' must be provided")
 	}
@ -669,27 +710,36 @@ func (conf *Conf) Validate(l logger.Writer) error {
 		conf.HLS = !*conf.HLSDisable
 	}

+	if conf.HLSAllowOrigin != nil {
+		l.Log(logger.Warn, "parameter 'hlsAllowOrigin' is deprecated and has been replaced with 'hlsAllowOrigins'")
+		conf.HLSAllowOrigins = []string{*conf.HLSAllowOrigin}
+	}
+
 	// WebRTC

 	if conf.WebRTCDisable != nil {
 		l.Log(logger.Warn, "parameter 'webrtcDisable' is deprecated and has been replaced with 'webrtc'")
 		conf.WebRTC = !*conf.WebRTCDisable
 	}
+
 	if conf.WebRTCICEUDPMuxAddress != nil {
 		l.Log(logger.Warn, "parameter 'webrtcICEUDPMuxAdderss' is deprecated "+
 			"and has been replaced with 'webrtcLocalUDPAddress'")
 		conf.WebRTCLocalUDPAddress = *conf.WebRTCICEUDPMuxAddress
 	}
+
 	if conf.WebRTCICETCPMuxAddress != nil {
 		l.Log(logger.Warn, "parameter 'webrtcICETCPMuxAddress' is deprecated "+
 			"and has been replaced with 'webrtcLocalTCPAddress'")
 		conf.WebRTCLocalTCPAddress = *conf.WebRTCICETCPMuxAddress
 	}
+
 	if conf.WebRTCICEHostNAT1To1IPs != nil {
 		l.Log(logger.Warn, "parameter 'webrtcICEHostNAT1To1IPs' is deprecated "+
 			"and has been replaced with 'webrtcAdditionalHosts'")
 		conf.WebRTCAdditionalHosts = *conf.WebRTCICEHostNAT1To1IPs
 	}
+
 	if conf.WebRTCICEServers != nil {
 		l.Log(logger.Warn, "parameter 'webrtcICEServers' is deprecated "+
 			"and has been replaced with 'webrtcICEServers2'")
@ -709,6 +759,7 @@ func (conf *Conf) Validate(l logger.Writer) error {
 			}
 		}
 	}
+
 	for _, server := range conf.WebRTCICEServers2 {
 		if !strings.HasPrefix(server.URL, "stun:") &&
 			!strings.HasPrefix(server.URL, "turn:") &&
@ -716,18 +767,25 @@ func (conf *Conf) Validate(l logger.Writer) error {
 			return fmt.Errorf("invalid ICE server: '%s'", server.URL)
 		}
 	}
+
 	if conf.WebRTCLocalUDPAddress == "" &&
 		conf.WebRTCLocalTCPAddress == "" &&
 		len(conf.WebRTCICEServers2) == 0 {
 		return fmt.Errorf("at least one between 'webrtcLocalUDPAddress'," +
 			" 'webrtcLocalTCPAddress' or 'webrtcICEServers2' must be filled")
 	}
+
 	if conf.WebRTCLocalUDPAddress != "" || conf.WebRTCLocalTCPAddress != "" {
 		if !conf.WebRTCIPsFromInterfaces && len(conf.WebRTCAdditionalHosts) == 0 {
 			return fmt.Errorf("at least one between 'webrtcIPsFromInterfaces' or 'webrtcAdditionalHosts' must be filled")
 		}
 	}

+	if conf.WebRTCAllowOrigin != nil {
+		l.Log(logger.Warn, "parameter 'webrtcAllowOrigin' is deprecated and has been replaced with 'webrtcAllowOrigins'")
+		conf.WebRTCAllowOrigins = []string{*conf.WebRTCAllowOrigin}
+	}
+
 	// Record (deprecated)

 	if conf.Record != nil {
@ -735,26 +793,31 @@ func (conf *Conf) Validate(l logger.Writer) error {
 			"and has been replaced with 'pathDefaults.record'")
 		conf.PathDefaults.Record = *conf.Record
 	}
+
 	if conf.RecordPath != nil {
 		l.Log(logger.Warn, "parameter 'recordPath' is deprecated "+
 			"and has been replaced with 'pathDefaults.recordPath'")
 		conf.PathDefaults.RecordPath = *conf.RecordPath
 	}
+
 	if conf.RecordFormat != nil {
 		l.Log(logger.Warn, "parameter 'recordFormat' is deprecated "+
 			"and has been replaced with 'pathDefaults.recordFormat'")
 		conf.PathDefaults.RecordFormat = *conf.RecordFormat
 	}
+
 	if conf.RecordPartDuration != nil {
 		l.Log(logger.Warn, "parameter 'recordPartDuration' is deprecated "+
 			"and has been replaced with 'pathDefaults.recordPartDuration'")
 		conf.PathDefaults.RecordPartDuration = *conf.RecordPartDuration
 	}
+
 	if conf.RecordSegmentDuration != nil {
 		l.Log(logger.Warn, "parameter 'recordSegmentDuration' is deprecated "+
 			"and has been replaced with 'pathDefaults.recordSegmentDuration'")
 		conf.PathDefaults.RecordSegmentDuration = *conf.RecordSegmentDuration
 	}
+
 	if conf.RecordDeleteAfter != nil {
 		l.Log(logger.Warn, "parameter 'recordDeleteAfter' is deprecated "+
 			"and has been replaced with 'pathDefaults.recordDeleteAfter'")
--- a/internal/core/core.go
+++ b/internal/core/core.go
@ -324,7 +324,7 @@ func (p *Core) createResources(initial bool) error {
 			Encryption:     p.conf.MetricsEncryption,
 			ServerKey:      p.conf.MetricsServerKey,
 			ServerCert:     p.conf.MetricsServerCert,
-			AllowOrigin:    p.conf.MetricsAllowOrigin,
+			AllowOrigins:   p.conf.MetricsAllowOrigins,
 			TrustedProxies: p.conf.MetricsTrustedProxies,
 			ReadTimeout:    p.conf.ReadTimeout,
 			WriteTimeout:   p.conf.WriteTimeout,
@ -345,7 +345,7 @@ func (p *Core) createResources(initial bool) error {
 			Encryption:     p.conf.PPROFEncryption,
 			ServerKey:      p.conf.PPROFServerKey,
 			ServerCert:     p.conf.PPROFServerCert,
-			AllowOrigin:    p.conf.PPROFAllowOrigin,
+			AllowOrigins:   p.conf.PPROFAllowOrigins,
 			TrustedProxies: p.conf.PPROFTrustedProxies,
 			ReadTimeout:    p.conf.ReadTimeout,
 			WriteTimeout:   p.conf.WriteTimeout,
@ -375,7 +375,7 @@ func (p *Core) createResources(initial bool) error {
 			Encryption:     p.conf.PlaybackEncryption,
 			ServerKey:      p.conf.PlaybackServerKey,
 			ServerCert:     p.conf.PlaybackServerCert,
-			AllowOrigin:    p.conf.PlaybackAllowOrigin,
+			AllowOrigins:   p.conf.PlaybackAllowOrigins,
 			TrustedProxies: p.conf.PlaybackTrustedProxies,
 			ReadTimeout:    p.conf.ReadTimeout,
 			WriteTimeout:   p.conf.WriteTimeout,
@ -563,7 +563,7 @@ func (p *Core) createResources(initial bool) error {
 			Encryption:      p.conf.HLSEncryption,
 			ServerKey:       p.conf.HLSServerKey,
 			ServerCert:      p.conf.HLSServerCert,
-			AllowOrigin:     p.conf.HLSAllowOrigin,
+			AllowOrigins:    p.conf.HLSAllowOrigins,
 			TrustedProxies:  p.conf.HLSTrustedProxies,
 			AlwaysRemux:     p.conf.HLSAlwaysRemux,
 			Variant:         p.conf.HLSVariant,
@ -593,7 +593,7 @@ func (p *Core) createResources(initial bool) error {
 			Encryption:            p.conf.WebRTCEncryption,
 			ServerKey:             p.conf.WebRTCServerKey,
 			ServerCert:            p.conf.WebRTCServerCert,
-			AllowOrigin:           p.conf.WebRTCAllowOrigin,
+			AllowOrigins:          p.conf.WebRTCAllowOrigins,
 			TrustedProxies:        p.conf.WebRTCTrustedProxies,
 			ReadTimeout:           p.conf.ReadTimeout,
 			WriteTimeout:          p.conf.WriteTimeout,
@ -713,7 +713,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		newConf.MetricsEncryption != p.conf.MetricsEncryption ||
 		newConf.MetricsServerKey != p.conf.MetricsServerKey ||
 		newConf.MetricsServerCert != p.conf.MetricsServerCert ||
-		newConf.MetricsAllowOrigin != p.conf.MetricsAllowOrigin ||
+		!slices.Equal(newConf.MetricsAllowOrigins, p.conf.MetricsAllowOrigins) ||
 		!reflect.DeepEqual(newConf.MetricsTrustedProxies, p.conf.MetricsTrustedProxies) ||
 		newConf.ReadTimeout != p.conf.ReadTimeout ||
 		newConf.WriteTimeout != p.conf.WriteTimeout ||
@ -726,7 +726,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		newConf.PPROFEncryption != p.conf.PPROFEncryption ||
 		newConf.PPROFServerKey != p.conf.PPROFServerKey ||
 		newConf.PPROFServerCert != p.conf.PPROFServerCert ||
-		newConf.PPROFAllowOrigin != p.conf.PPROFAllowOrigin ||
+		!slices.Equal(newConf.PPROFAllowOrigins, p.conf.PPROFAllowOrigins) ||
 		!reflect.DeepEqual(newConf.PPROFTrustedProxies, p.conf.PPROFTrustedProxies) ||
 		newConf.ReadTimeout != p.conf.ReadTimeout ||
 		newConf.WriteTimeout != p.conf.WriteTimeout ||
@ -746,7 +746,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		newConf.PlaybackEncryption != p.conf.PlaybackEncryption ||
 		newConf.PlaybackServerKey != p.conf.PlaybackServerKey ||
 		newConf.PlaybackServerCert != p.conf.PlaybackServerCert ||
-		newConf.PlaybackAllowOrigin != p.conf.PlaybackAllowOrigin ||
+		!slices.Equal(newConf.PlaybackAllowOrigins, p.conf.PlaybackAllowOrigins) ||
 		!reflect.DeepEqual(newConf.PlaybackTrustedProxies, p.conf.PlaybackTrustedProxies) ||
 		newConf.ReadTimeout != p.conf.ReadTimeout ||
 		newConf.WriteTimeout != p.conf.WriteTimeout ||
@ -853,7 +853,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		newConf.HLSEncryption != p.conf.HLSEncryption ||
 		newConf.HLSServerKey != p.conf.HLSServerKey ||
 		newConf.HLSServerCert != p.conf.HLSServerCert ||
-		newConf.HLSAllowOrigin != p.conf.HLSAllowOrigin ||
+		!slices.Equal(newConf.HLSAllowOrigins, p.conf.HLSAllowOrigins) ||
 		!reflect.DeepEqual(newConf.HLSTrustedProxies, p.conf.HLSTrustedProxies) ||
 		newConf.HLSAlwaysRemux != p.conf.HLSAlwaysRemux ||
 		newConf.HLSVariant != p.conf.HLSVariant ||
@ -875,7 +875,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		newConf.WebRTCEncryption != p.conf.WebRTCEncryption ||
 		newConf.WebRTCServerKey != p.conf.WebRTCServerKey ||
 		newConf.WebRTCServerCert != p.conf.WebRTCServerCert ||
-		newConf.WebRTCAllowOrigin != p.conf.WebRTCAllowOrigin ||
+		!slices.Equal(newConf.WebRTCAllowOrigins, p.conf.WebRTCAllowOrigins) ||
 		!reflect.DeepEqual(newConf.WebRTCTrustedProxies, p.conf.WebRTCTrustedProxies) ||
 		newConf.ReadTimeout != p.conf.ReadTimeout ||
 		newConf.WriteTimeout != p.conf.WriteTimeout ||
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@ -74,7 +74,7 @@ type Metrics struct {
 	Encryption     bool
 	ServerKey      string
 	ServerCert     string
-	AllowOrigin    string
+	AllowOrigins   []string
 	TrustedProxies conf.IPNetworks
 	ReadTimeout    conf.Duration
 	WriteTimeout   conf.Duration
@ -105,7 +105,7 @@ func (m *Metrics) Initialize() error {

 	m.httpServer = &httpp.Server{
 		Address:      m.Address,
-		AllowOrigins: []string{m.AllowOrigin},
+		AllowOrigins: m.AllowOrigins,
 		ReadTimeout:  time.Duration(m.ReadTimeout),
 		WriteTimeout: time.Duration(m.WriteTimeout),
 		Encryption:   m.Encryption,
--- a/internal/metrics/metrics_test.go
+++ b/internal/metrics/metrics_test.go
@ -192,7 +192,7 @@ func (dummyWebRTCServer) APISessionsKick(uuid.UUID) error {
 func TestPreflightRequest(t *testing.T) {
 	m := Metrics{
 		Address:      "localhost:9998",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		AuthManager:  test.NilAuthManager,
@ -232,7 +232,7 @@ func TestMetrics(t *testing.T) {

 	m := Metrics{
 		Address:      "localhost:9998",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		AuthManager: &test.AuthManager{
@ -368,7 +368,7 @@ func TestAuthError(t *testing.T) {

 	m := Metrics{
 		Address:      "localhost:9998",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		AuthManager: &test.AuthManager{
@ -428,7 +428,7 @@ func TestFilter(t *testing.T) {
 		t.Run(ca, func(t *testing.T) {
 			m := Metrics{
 				Address:      "localhost:9998",
-				AllowOrigin:  "*",
+				AllowOrigins: []string{"*"},
 				ReadTimeout:  conf.Duration(10 * time.Second),
 				WriteTimeout: conf.Duration(10 * time.Second),
 				AuthManager:  test.NilAuthManager,
--- a/internal/playback/server.go
+++ b/internal/playback/server.go
@ -24,7 +24,7 @@ type Server struct {
 	Encryption     bool
 	ServerKey      string
 	ServerCert     string
-	AllowOrigin    string
+	AllowOrigins   []string
 	TrustedProxies conf.IPNetworks
 	ReadTimeout    conf.Duration
 	WriteTimeout   conf.Duration
@ -48,7 +48,7 @@ func (s *Server) Initialize() error {

 	s.httpServer = &httpp.Server{
 		Address:      s.Address,
-		AllowOrigins: []string{s.AllowOrigin},
+		AllowOrigins: s.AllowOrigins,
 		ReadTimeout:  time.Duration(s.ReadTimeout),
 		WriteTimeout: time.Duration(s.WriteTimeout),
 		Encryption:   s.Encryption,
--- a/internal/playback/server_test.go
+++ b/internal/playback/server_test.go
@ -18,7 +18,7 @@ import (
 func TestPreflightRequest(t *testing.T) {
 	s := &Server{
 		Address:      "127.0.0.1:9996",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		Parent:       test.NilLogger,
--- a/internal/pprof/pprof.go
+++ b/internal/pprof/pprof.go
@ -29,7 +29,7 @@ type PPROF struct {
 	Encryption     bool
 	ServerKey      string
 	ServerCert     string
-	AllowOrigin    string
+	AllowOrigins   []string
 	TrustedProxies conf.IPNetworks
 	ReadTimeout    conf.Duration
 	WriteTimeout   conf.Duration
@ -51,7 +51,7 @@ func (pp *PPROF) Initialize() error {

 	pp.httpServer = &httpp.Server{
 		Address:      pp.Address,
-		AllowOrigins: []string{pp.AllowOrigin},
+		AllowOrigins: pp.AllowOrigins,
 		ReadTimeout:  time.Duration(pp.ReadTimeout),
 		WriteTimeout: time.Duration(pp.WriteTimeout),
 		Encryption:   pp.Encryption,
--- a/internal/pprof/pprof_test.go
+++ b/internal/pprof/pprof_test.go
@ -17,7 +17,7 @@ import (
 func TestPreflightRequest(t *testing.T) {
 	s := &PPROF{
 		Address:      "127.0.0.1:9999",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		Parent:       test.NilLogger,
@ -56,7 +56,7 @@ func TestPprof(t *testing.T) {

 	s := &PPROF{
 		Address:      "127.0.0.1:9999",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		AuthManager: &test.AuthManager{
@ -99,7 +99,7 @@ func TestAuthError(t *testing.T) {

 	s := &PPROF{
 		Address:      "127.0.0.1:9999",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		AuthManager: &test.AuthManager{
--- a/internal/servers/hls/http_server.go
+++ b/internal/servers/hls/http_server.go
@ -39,7 +39,7 @@ type httpServer struct {
 	encryption     bool
 	serverKey      string
 	serverCert     string
-	allowOrigin    string
+	allowOrigins   []string
 	trustedProxies conf.IPNetworks
 	readTimeout    conf.Duration
 	writeTimeout   conf.Duration
@ -59,7 +59,7 @@ func (s *httpServer) initialize() error {

 	s.inner = &httpp.Server{
 		Address:      s.address,
-		AllowOrigins: []string{s.allowOrigin},
+		AllowOrigins: s.allowOrigins,
 		ReadTimeout:  time.Duration(s.readTimeout),
 		WriteTimeout: time.Duration(s.writeTimeout),
 		Encryption:   s.encryption,
--- a/internal/servers/hls/server.go
+++ b/internal/servers/hls/server.go
@ -74,7 +74,7 @@ type Server struct {
 	Encryption      bool
 	ServerKey       string
 	ServerCert      string
-	AllowOrigin     string
+	AllowOrigins    []string
 	TrustedProxies  conf.IPNetworks
 	AlwaysRemux     bool
 	Variant         conf.HLSVariant
@ -124,7 +124,7 @@ func (s *Server) Initialize() error {
 		encryption:     s.Encryption,
 		serverKey:      s.ServerKey,
 		serverCert:     s.ServerCert,
-		allowOrigin:    s.AllowOrigin,
+		allowOrigins:   s.AllowOrigins,
 		trustedProxies: s.TrustedProxies,
 		readTimeout:    s.ReadTimeout,
 		writeTimeout:   s.WriteTimeout,
--- a/internal/servers/hls/server_test.go
+++ b/internal/servers/hls/server_test.go
@ -68,7 +68,7 @@ func (pa *dummyPath) RemoveReader(_ defs.PathRemoveReaderReq) {
 func TestServerPreflightRequest(t *testing.T) {
 	s := &Server{
 		Address:      "127.0.0.1:8888",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		PathManager:  &dummyPathManager{},
@ -131,7 +131,6 @@ func TestServerNotFound(t *testing.T) {
 				SegmentDuration: conf.Duration(1 * time.Second),
 				PartDuration:    conf.Duration(200 * time.Millisecond),
 				SegmentMaxSize:  50 * 1024 * 1024,
-				AllowOrigin:     "",
 				TrustedProxies:  conf.IPNetworks{},
 				Directory:       "",
 				ReadTimeout:     conf.Duration(10 * time.Second),
@ -433,7 +432,6 @@ func TestServerDirectory(t *testing.T) {
 		SegmentDuration: conf.Duration(1 * time.Second),
 		PartDuration:    conf.Duration(200 * time.Millisecond),
 		SegmentMaxSize:  50 * 1024 * 1024,
-		AllowOrigin:     "",
 		TrustedProxies:  conf.IPNetworks{},
 		Directory:       filepath.Join(dir, "mydir"),
 		ReadTimeout:     conf.Duration(10 * time.Second),
--- a/internal/servers/webrtc/http_server.go
+++ b/internal/servers/webrtc/http_server.go
@ -76,7 +76,7 @@ type httpServer struct {
 	encryption     bool
 	serverKey      string
 	serverCert     string
-	allowOrigin    string
+	allowOrigins   []string
 	trustedProxies conf.IPNetworks
 	readTimeout    conf.Duration
 	writeTimeout   conf.Duration
@ -96,7 +96,7 @@ func (s *httpServer) initialize() error {

 	s.inner = &httpp.Server{
 		Address:      s.address,
-		AllowOrigins: []string{s.allowOrigin},
+		AllowOrigins: s.allowOrigins,
 		ReadTimeout:  time.Duration(s.readTimeout),
 		WriteTimeout: time.Duration(s.writeTimeout),
 		Encryption:   s.encryption,
--- a/internal/servers/webrtc/server.go
+++ b/internal/servers/webrtc/server.go
@ -190,7 +190,7 @@ type Server struct {
 	Encryption            bool
 	ServerKey             string
 	ServerCert            string
-	AllowOrigin           string
+	AllowOrigins          []string
 	TrustedProxies        conf.IPNetworks
 	ReadTimeout           conf.Duration
 	WriteTimeout          conf.Duration
@ -254,7 +254,7 @@ func (s *Server) Initialize() error {
 		encryption:     s.Encryption,
 		serverKey:      s.ServerKey,
 		serverCert:     s.ServerCert,
-		allowOrigin:    s.AllowOrigin,
+		allowOrigins:   s.AllowOrigins,
 		trustedProxies: s.TrustedProxies,
 		readTimeout:    s.ReadTimeout,
 		writeTimeout:   s.WriteTimeout,
--- a/internal/servers/webrtc/server_test.go
+++ b/internal/servers/webrtc/server_test.go
@ -66,7 +66,7 @@ func initializeTestServer(t *testing.T) *Server {

 	s := &Server{
 		Address:               "127.0.0.1:8886",
-		AllowOrigin:           "*",
+		AllowOrigins:          []string{"*"},
 		TrustedProxies:        conf.IPNetworks{},
 		ReadTimeout:           conf.Duration(10 * time.Second),
 		WriteTimeout:          conf.Duration(10 * time.Second),
--- a/mediamtx.yml
+++ b/mediamtx.yml
@ -158,10 +158,8 @@ apiEncryption: no
 apiServerKey: server.key
 # Path to the server certificate.
 apiServerCert: server.crt
-# List of allowed origins.
+# Lis.
 # Supports wildcards: ['http://*.example.com']
-# If apiAllowOrigins is set to '*', the Access-Control-Allow-Origin response will be '*',
-# even if no Origin was sent from the client.
 apiAllowOrigins: ['*']
 # List of IPs or CIDRs of proxies placed before the HTTP server.
 # If the server receives a request from one of these entries, IP in logs
@ -184,8 +182,9 @@ metricsEncryption: no
 metricsServerKey: server.key
 # Path to the server certificate.
 metricsServerCert: server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-metricsAllowOrigin: '*'
+# List of allowed HTTP Origins.
+# Supports wildcards: ['http://*.example.com']
+metricsAllowOrigins: ['*']
 # List of IPs or CIDRs of proxies placed before the HTTP server.
 # If the server receives a request from one of these entries, IP in logs
 # will be taken from the X-Forwarded-For header.
@ -207,8 +206,9 @@ pprofEncryption: no
 pprofServerKey: server.key
 # Path to the server certificate.
 pprofServerCert: server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-pprofAllowOrigin: '*'
+# List of allowed HTTP Origins.
+# Supports wildcards: ['http://*.example.com']
+pprofAllowOrigins: ['*']
 # List of IPs or CIDRs of proxies placed before the HTTP server.
 # If the server receives a request from one of these entries, IP in logs
 # will be taken from the X-Forwarded-For header.
@ -230,8 +230,9 @@ playbackEncryption: no
 playbackServerKey: server.key
 # Path to the server certificate.
 playbackServerCert: server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-playbackAllowOrigin: '*'
+# List of allowed HTTP Origins.
+# Supports wildcards: ['http://*.example.com']
+playbackAllowOrigins: ['*']
 # List of IPs or CIDRs of proxies placed before the HTTP server.
 # If the server receives a request from one of these entries, IP in logs
 # will be taken from the X-Forwarded-For header.
@ -322,9 +323,9 @@ hlsEncryption: no
 hlsServerKey: server.key
 # Path to the server certificate.
 hlsServerCert: server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-# This allows to play the HLS stream from an external website.
-hlsAllowOrigin: '*'
+# List of allowed HTTP Origins.
+# Supports wildcards: ['http://*.example.com']
+hlsAllowOrigins: ['*']
 # List of IPs or CIDRs of proxies placed before the HLS server.
 # If the server receives a request from one of these entries, IP in logs
 # will be taken from the X-Forwarded-For header.
@ -380,9 +381,9 @@ webrtcEncryption: no
 webrtcServerKey: server.key
 # Path to the server certificate.
 webrtcServerCert: server.crt
-# Value of the Access-Control-Allow-Origin header provided in every HTTP response.
-# This allows to play the WebRTC stream from an external website.
-webrtcAllowOrigin: '*'
+# List of allowed HTTP Origins.
+# Supports wildcards: ['http://*.example.com']
+webrtcAllowOrigins: ['*']
 # List of IPs or CIDRs of proxies placed before the WebRTC server.
 # If the server receives a request from one of these entries, IP in logs
 # will be taken from the X-Forwarded-For header.