Send CORS Headers in a CodeIgniter 4 application.

v3.0.0 2023-02-18 07:33 UTC

This package is auto-updated.

Last update: 2024-02-18 10:25:01 UTC


Inspired from for CodeIgniter 4

Latest Stable Version Total Downloads Latest Unstable Version License


The codeigniter4-cors package allows you to send Cross-Origin Resource Sharing headers with Codeigniter4 filter configuration.


  • Handles CORS pre-flight OPTIONS requests
  • Adds CORS headers to your responses
  • Match routes to only add CORS to certain Requests

Upgrade from 2.x to v3.x

Upgrade from version 2.x to 3.x. Open your composer.json find agungsugiarto/codeigniter4-cors and change value to ^3.0


Require the agungsugiarto/codeigniter4-cors package in your composer.json and update your dependencies:

composer require agungsugiarto/codeigniter4-cors

Global usage

To allow CORS for all your routes, first register CorsFilter.php filter at the top of the $aliases property of App/Config/Filter.php class:

public $aliases = [
    'cors' => \Fluent\Cors\Filters\CorsFilter::class,
    // ...

Global restrictions

Restrict routes based on their URI pattern by editing app/Config/Filters.php and adding them to the $filters array, e.g.:

public $filters = [
    // ...
    'cors' => [
        'before' => ['api/*'],
        'after' => ['api/*']

Restricting a single route

Any single route can be restricted by adding the filter option to the last parameter in any of the route definition methods:

$routes->get('api/users', 'UserController::index', ['filter' => 'cors']);

Restricting Route Groups

In the same way, entire groups of routes can be restricted within the group() method:

$routes->group('api/v1', ['filter' => 'cors'], function ($routes) {
    // ...


The defaults are set in config/cors.php. Publish the config to copy the file to your own config:

php spark cors:publish

Note: When using custom headers, like X-Auth-Token or X-Requested-With, you must set the allowedHeaders to include those headers. You can also set it to ['*'] to allow all custom headers.

Note: If you are explicitly whitelisting headers, you must include Origin or requests will fail to be recognized as CORS.


Option Description Default value
allowedOrigins Matches the request origin. Wildcards can be used, eg. * ['*']
allowedOriginsPatterns Matches the request origin with preg_match. []
allowedMethods Matches the request method. ['*']
allowedHeaders Sets the Access-Control-Allow-Headers response header. ['*']
exposedHeaders Sets the Access-Control-Expose-Headers response header. false
maxAge Sets the Access-Control-Max-Age response header. 0
supportsCredentials Sets the Access-Control-Allow-Credentials header. false

allowedOrigins, allowedHeaders and allowedMethods can be set to ['*'] to accept any value.

Note: For allowedOrigins you must include the scheme when not using a wildcard, eg. ['', '']. You must also take into account that the scheme will be present when using allowed_origins_patterns.

Note: Try to be a specific as possible. You can start developing with loose constraints, but it's better to be as strict as possible!


Released under the MIT License, see LICENSE.