1.1.3 2017-04-13 18:59 UTC


Packagist Packagist Scrutinizer Code Quality Build Status

A middleware to handle Cors for multiple domains using Slim. "Access-Contro-Allow-Origin" only accepts one domain or a wildcard. This makes it troublesome if you want to allow different domains access to your api. In order to allow access to multiple domains You either need to create an .htaccess/apache rule: credit

<FilesMatch "\.(ttf|otf|eot|woff|js|css|woff2)$">
    <IfModule mod_headers.c>
        SetEnvIf Origin "^http(s)?:\/\/(www\.|dev\.|local\.)?(domain\.com|domain2\.com)$" AccessControlAllowOrigin=$0
        Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

Or you have to use a wildcard. It's an all or very restrictive approach, which encourage most dev's to opt for the very easy wildcard '*' approach.

Access-Control-Allow-Origin: *

This middleware will detect the origin of a request, if its within the allowed list it will set the proper "Access-Control-Allow-Origin" value for that domain, as well as restrict the methods it has access to.

Access-Control-Allow-Origin: https://client.domain.com


You can either download manually or use composer.

composer require eko3alpha/slim-cors-middleware


$app = new \Slim\App();

$app->add(new \Eko3alpha\Slim\Middleware\CorsMiddleware([
    'https://dev.domain1.com' => ['GET', 'POST'],
    'https://dev.domain2.com' => ['GET', 'POST'],
    'https://dev.domain3.com' => ['GET']


This middleware allows you to add method restrictions on a per domain basis. Below are some examples of valid configuration options. HTTP and HTTPS are considered 2 different origins.

One entry with a wildcard, this will give GET access to all domains requesting resources

$app->add(new \Eko3alpha\Slim\Middleware\CorsMiddleware([
  '*' => 'GET'

This will give GET, POST and DELETE access to both http and https versions of api.domain.com, you can either use a string value or array.

$app->add(new \Eko3alpha\Slim\Middleware\CorsMiddleware([
  'http://client.domain.com'  => 'GET, POST, DELETE',
  'https://client.domain.com' => ['GET', 'POST', 'DELETE']

You can either choose to have your methods as an array ['GET', 'POST'] or string 'GET, POST'.

Slim Container

You can use Slim's container to hold the configuration if you prefer to have your configuration in a seperate file.

$container = new Slim\Container;


$container['cors'] = ['*' => 'GET, POST'];


$app->add(new \Eko3alpha\Slim\Middleware\CorsMiddleware($container['cors']);