Access-Control-Allow-Origin: <origin>

You can only allow one specific origin. If the server needs to support clients from multiple origins, it must return the origin for the specific client making the request.