An API generally doesn't want to restrict a request's origin. However, some things don't work well with Access-Control-Allow-Origin: *. So, the way around that is to just mirror back the Origin that a client sends. This apache config sets Access-Control-Allow-* headers when it receives an Origin header from a client, and mirrors the requested Origin back in the Access-Control-Allow-Origin header.
# CORS
SetEnvIf Origin ^(.+)$ CORS_ALLOW_ORIGIN=$1
Header set Access-Control-Allow-Origin %{CORS_ALLOW_ORIGIN}e env=CORS_ALLOW_ORIGIN
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept-Type" env=CORS_ALLOW_ORIGIN
Header set Access-Control-Allow-Credentials "true" env=CORS_ALLOW_ORIGIN