README

• Configure options for each domain.
• Flexible about the usage way.
• Handle the incoming requests strictly and write exceptions log if any to easy debug.

About

Enlightener PHP CORS is a small library support to prevent attacks from a cross-origin request. I spent a lot of time researching the mechanism, as well as how it works and summarized each line by comments. This library is for the Laravel framework and is also possible for the Symfony framework and the PHP language, but you must modify it if want to use it. These documents I referenced and listed here:

• MDN Web Docs: CORS
• GitHub: asm89/stack-cors
• GitHub: fruitcake/laravel-cors

Note

Use for versions of Laravel from 6 to 10 or higher, and the PHP version must be from 7.4

Installation

composer require enlightener/php-cors

Basic Usage

Note

Attributes can be a string separation by comma or an array such as foo, baz | ['foo', 'baz']

Register a cors service

// Default options
Cors::origins('*');

// Register one service
Cors::origins('https://php.net')
        ->headers('X-Header-One, X-Header-Two, X-Header-Three')
        ->methods('GET, HEAD, POST')
        ->credentials(false)
        ->exposedHeaders('X-Header-One, X-Header-Two, X-Header-Three')
        ->maxAge(0);

// Register include wildcard in the domain
Cors::origin('*.example.com')
        ->headers('X-Header-One, X-Header-Two, X-Header-Three')
        ->methods('GET, HEAD, POST');

// Register many services
Cors::origins('https://php.net, https://laravel.com')
        ->headers('X-Header-One, X-Header-Two, X-Header-Three')
        ->methods('GET, HEAD, POST');

// or
Cors::origins(['https://php.net', 'https://laravel.com', '*.example.com'])
        ->headers(['X-Header-One', 'X-Header-Two', 'X-Header-Three'])
        ->methods(['GET', 'HEAD', 'POST'])
        ->exposedHeaders(['X-Header-One', 'X-Header-Two', 'X-Header-Three']);

// or
Cors::register([
    'origins' => ['https://php.net', 'https://laravel.com', '*.example.com'],
    'headers' => ['X-Header-One', 'X-Header-Two', 'X-Header-Three'],
    'credentials' => false,
    'exposedHeaders' => ['X-Header-One', 'X-Header-Two', 'X-Header-Three'],
    'maxAge' => 0
]);

// Retrieve all items in the collection
Cors::collection()->items();

// You can use any method that you want to meet the requirements of your project.
// Note that to register a cors service always start with the first "origins" method
// on each call a CORS facade instance.

Handle a cors service

namespace App\Http\Middleware;

use Closure;
use Enlightener\Cors\Cors;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;

class CorsHandler
{
    /**
     * Handle an incoming request.
     */
    public function handle(Request $request, Closure $next): Response|JsonResponse|RedirectResponse
    {
        Cors::origins(['https://php.net', 'https://laravel.com', 'https://symfony.com'])
                ->headers(['X-Header-One', 'X-Header-Two', 'X-Header-Three'])
                ->methods(['GET', 'HEAD', 'POST']);

        return Cors::handle($request, $next);
    }
}

Configuration

Note

These options are strict, and this means that when you set an option that has the [*] value then it will be equivalent to the work you dynamically handled based on the incoming request. We will not disclose any values unnecessary for the browser side.

License

The PHP CORS library is licensed under the MIT license.