agungsugiarto/codeigniter4-cors

Send CORS Headers in a CodeIgniter 4 application.

v3.0.0 2023-02-18 07:33 UTC

This package is auto-updated.

Last update: 2024-12-18 12:28:28 UTC


README

Inspired from https://github.com/asm89/stack-cors for CodeIgniter 4

Latest Stable Version Total Downloads Latest Unstable Version License

About

The codeigniter4-cors package allows you to send Cross-Origin Resource Sharing headers with Codeigniter4 filter configuration.

Features

  • Handles CORS pre-flight OPTIONS requests
  • Adds CORS headers to your responses
  • Match routes to only add CORS to certain Requests

Upgrade from 2.x to v3.x

Upgrade from version 2.x to 3.x. Open your composer.json find agungsugiarto/codeigniter4-cors and change value to ^3.0

Installation

Require the agungsugiarto/codeigniter4-cors package in your composer.json and update your dependencies:

composer require agungsugiarto/codeigniter4-cors

Global usage

To allow CORS for all your routes, first register CorsFilter.php filter at the top of the $aliases property of App/Config/Filter.php class:

public $aliases = [
    'cors' => \Fluent\Cors\Filters\CorsFilter::class,
    // ...
];

Global restrictions

Restrict routes based on their URI pattern by editing app/Config/Filters.php and adding them to the $filters array, e.g.:

public $filters = [
    // ...
    'cors' => [
        'before' => ['api/*'],
        'after' => ['api/*']
    ],
];

Restricting a single route

Any single route can be restricted by adding the filter option to the last parameter in any of the route definition methods:

$routes->get('api/users', 'UserController::index', ['filter' => 'cors']);

Restricting Route Groups

In the same way, entire groups of routes can be restricted within the group() method:

$routes->group('api/v1', ['filter' => 'cors'], function ($routes) {
    // ...
});

Configuration

The defaults are set in config/cors.php. Publish the config to copy the file to your own config:

php spark cors:publish

Note: When using custom headers, like X-Auth-Token or X-Requested-With, you must set the allowedHeaders to include those headers. You can also set it to ['*'] to allow all custom headers.

Note: If you are explicitly whitelisting headers, you must include Origin or requests will fail to be recognized as CORS.

Options

allowedOrigins, allowedHeaders and allowedMethods can be set to ['*'] to accept any value.

Note: For allowedOrigins you must include the scheme when not using a wildcard, eg. ['http://example.com', 'https://example.com']. You must also take into account that the scheme will be present when using allowed_origins_patterns.

Note: Try to be a specific as possible. You can start developing with loose constraints, but it's better to be as strict as possible!

License

Released under the MIT License, see LICENSE.