An API generally doesn't want to restrict a request's origin. However, some things don't work well with Access-Control-Allow-Origin: *. So, the way around that is to just mirror back the Origin that a client sends. This apache config sets Access-Control-Allow-* headers when it receives an Origin header from a client, and mirrors the requested Origin back in the Access-Control-Allow-Origin header.
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/www.example.com/docroot
<Directory /var/www/www.example.com/docroot>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
CustomLog /var/log/apache2/www.example.com_access.log combined
ErrorLog /var/log/apache2/www.example.com_error.log
# Force redirect to www.example.com
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]