ozee31 / cakephp-cors
A CakePHP (3.3.x) plugin for activate cors domain in your application
Installs: 349 777
Dependents: 0
Suggesters: 0
Security: 0
Stars: 42
Watchers: 6
Forks: 23
Open Issues: 7
Type:cakephp-plugin
Requires
- php: >=7.2.0
- cakephp/cakephp: ^4.0
- psr/http-server-handler: ^1.0
- psr/http-server-middleware: ^1.0
Requires (Dev)
- cakephp/cakephp-codesniffer: ^4.0
- phpunit/phpunit: ~8.5.0
README
A CakePHP (4+) plugin for activate cors domain in your application with Middleware.
For cake 3.3+ use branch cake-3
Requirements
- PHP version 7.2 or higher
- CakePhp 4.0 or higher
Installation
You can install this plugin into your CakePHP application using composer.
The recommended way to install composer packages is:
composer require ozee31/cakephp-cors
Quick Start
Loading the Plugin
// In src/Application.php public function bootstrap(): void { // code ... $this->addPlugin('Cors'); }
By default the plugin authorize cors for all origins, all methods and all headers and caches all for one day.
Configuration
Default configuration
<?php [ 'AllowOrigin' => true, // accept all origin 'AllowCredentials' => true, 'AllowMethods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], // accept all HTTP methods 'AllowHeaders' => true, // accept all headers 'ExposeHeaders' => false, // don't accept personal headers 'MaxAge' => 86400, // cache for 1 day 'exceptionRenderer' => 'Cors\Error\AppExceptionRenderer', // Use ExeptionRenderer class of plugin
Change config
In app.php add :
'Cors' => [ // My Config ]
AllowOrigin (Access-Control-Allow-Origin)
A returned resource may have one Access-Control-Allow-Origin header, with the following syntax:
'Cors' => [ // Accept all origins 'AllowOrigin' => true, // OR 'AllowOrigin' => '*', // Accept one origin 'AllowOrigin' => 'http://flavienbeninca.fr' // Accept many origins 'AllowOrigin' => ['http://flavienbeninca.fr', 'http://google.com'] ]
AllowCredentials (Access-Control-Allow-Credentials)
The Access-Control-Allow-Credentials header Indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.
'Cors' => [ 'AllowCredentials' => true, // OR 'AllowCredentials' => false, ]
AllowMethods (Access-Control-Allow-Methods)
'Cors' => [ // string 'AllowMethods' => 'POST', // OR array 'AllowMethods' => ['GET', 'POST'], ]
AllowHeaders (Access-Control-Allow-Headers)
The Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
'Cors' => [ // accept all headers 'AllowHeaders' => true, // accept just authorization 'AllowHeaders' => 'authorization', // accept many headers 'AllowHeaders' => ['authorization', 'other-header'], ]
ExposeHeaders (Access-Control-Expose-Headers)
The Access-Control-Expose-Headers header lets a server whitelist headers that browsers are allowed to access. For example:
'Cors' => [ // nothing 'ExposeHeaders' => false, // string 'ExposeHeaders' => 'X-My-Custom-Header', // array 'ExposeHeaders' => ['X-My-Custom-Header', 'X-Another-Custom-Header'], ]
MaxAge (Access-Control-Max-Age)
The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples.
'Cors' => [ // no cache 'MaxAge' => false, // 1 hour 'MaxAge' => 3600, // 1 day 'MaxAge' => 86400, ]
exceptionRenderer
This option overload default exceptionRenderer in app.php.
By default this class extends from Error.exceptionRenderer to add Cors Headers
If you don't want to overload exceptionRenderer, You must write
'Cors' => [ 'exceptionRenderer' => false ]