diego-rlima / laravel-cors
Simple package to add CORS (Cross-Origin Resource Sharing) headers to the Laravel application.
Requires
- php: >=7.0.0
- laravel/framework: ~5.5.0|~5.6.0|~5.7.0|~5.8.0
This package is auto-updated.
Last update: 2024-08-09 02:20:23 UTC
README
Simple package to add CORS (Cross-Origin Resource Sharing) headers to the Laravel application.
Requirements
This package requires Laravel 5.5 or later and PHP 7.0.0 or later.
Installation
$ composer require diego-rlima/laravel-cors
Global usage
To allow CORS for all your routes, add the CorsMiddleware
in the $middleware
property of app/Http/Kernel.php
class:
protected $middleware = [ // ... \DRL\LaravelCors\CorsMiddleware::class, ];
Group middleware
You can also allow CORS in a specific middleware group. Just add the CorsMiddleware
to your group:
protected $middlewareGroups = [ 'web' => [ // ... ], 'api' => [ // ... \DRL\LaravelCors\CorsMiddleware::class, ], ];
Configuration
The defaults are set in config/cors.php
. Get a copy of this file to your own config directory to modify the settings.
Publish the config using the following command:
$ php artisan vendor:publish --provider="DRL\LaravelCors\CorsServiceProvider"
Note: If you are explicitly whitelisting headers, you must include
Origin
or requests will fail to be recognized as CORS.
return [ /* |---------------------------------------------------------------------- | Access-Control-Allow-Origin |---------------------------------------------------------------------- | | This response header specifies the method or methods allowed when | accessing the resource in response to a preflight request. | */ 'allow_origins' => [ '*', ], /* |---------------------------------------------------------------------- | Access-Control-Allow-Methods |---------------------------------------------------------------------- | | This response header specifies the method or methods allowed when | accessing the resource in response to a preflight request. | */ 'allow_methods' => [ 'POST', 'GET', 'OPTIONS', 'PATCH', 'PUT', 'DELETE', ], /* |---------------------------------------------------------------------- | Access-Control-Allow-Headers |---------------------------------------------------------------------- | | This response header is used in response to a preflight request to | indicate which HTTP headers can be used during the actual request. | */ 'allow_headers' => [ 'Content-Type', 'X-Auth-Token', 'Origin', 'Authorization', ], /* |---------------------------------------------------------------------- | Access-Control-Expose-Headers |---------------------------------------------------------------------- | | This response header indicates which headers can be exposed as part | of the response by listing their names. | */ 'expose_headers' => [ 'Cache-Control', 'Content-Language', 'Content-Type', 'Expires', 'Last-Modified', 'Pragma', ], /* |---------------------------------------------------------------------- | Access-Control-Max-Age |---------------------------------------------------------------------- | | This response header indicates how long the results of a preflight | request can be cached. | */ 'max_age' => 60 * 60 * 24, ]
The values of allow_origins
, allow_methods
, allow_headers
and expose_headers
can be set to array('*')
to accept any value.
License
Released under the MIT License, see LICENSE.