Based on https://github.com/asm89/stack-cors
For Laravel 4, please use the 0.2 branch!
The laravel-cors
package allows you to send Cross-Origin Resource Sharing
headers with ACL-style per-url configuration.
If you want to have have a global overview of CORS workflow, you can browse this image.
- Handles CORS pre-flight OPTIONS requests
- Adds CORS headers to your responses
The defaults are set in config/cors.php
. Copy this file to your own config directory to modify the values. You can publish the config using this command:
php artisan vendor:publish --provider="Barryvdh\Cors\ServiceProvider"
Note: When using custom headers, like
X-Auth-Token
orX-Requested-With
, you must set the allowedHeaders to include those headers. You can also set it toarray('*')
to allow all custom headers.
Note: If you are explicitly whitelisting headers, you must include
Origin
or requests will fail to be recognized as CORS.
return [
/*
|--------------------------------------------------------------------------
| Laravel CORS
|--------------------------------------------------------------------------
|
| allowedOrigins, allowedHeaders and allowedMethods can be set to array('*')
| to accept any value.
|
*/
'supportsCredentials' => false,
'allowedOrigins' => ['*'],
'allowedHeaders' => ['*'], // ex : ['Content-Type', 'Accept']
'allowedMethods' => ['*'], // ex: ['GET', 'POST', 'PUT', 'DELETE']
'exposedHeaders' => [],
'maxAge' => 0,
'hosts' => [],
]
allowedOrigins
, allowedHeaders
and allowedMethods
can be set to array('*')
to accept any value, the
allowed methods however have to be explicitly listed.
Note: Because of http method overriding in Laravel, allowing POST methods will also enable the API users to perform PUT and DELETE requests as well.
Require the barryvdh/laravel-cors
package in your composer.json and update your dependencies.
$ composer require barryvdh/laravel-cors
Add the Cors\ServiceProvider to your config/app.php providers array:
Barryvdh\Cors\ServiceProvider::class,
The ServiceProvider adds a route middleware you can use, called cors
. You can apply this to a route or group to add CORS support.
Route::group(['middleware' => 'cors'], function(Router $router){
$router->get('api', 'ApiController@index');
});
If you want CORS to apply for all your routes, add it as global middleware in app/http/Kernel.php
:
protected $middleware = [
....
\Barryvdh\Cors\HandleCors::class
];
On Laravel Lumen, use LumenServiceProvider:
'Barryvdh\Cors\LumenServiceProvider',
And load your configuration file manually:
$app->configure('cors');
In order for the package to work, the request has to be a valid CORS request and needs to include an "Origin" header.
When an error occurs, the middleware isn't run completely. So when this happens, you won't see the actual result, but will get a CORS error instead.
This could be a CSRF token error or just a simple problem.
In App\Http\Middleware\VerifyCsrfToken
, add your routes to the exceptions:
protected $except = [
'api/*'
];
A simple but hacky method is to just always send the CORS headers. This isn't recommended for production, but it will show you the actual errors.
Add this to the top of public/index.php
:
header("Access-Control-Allow-Origin: *");
Don't forget to remove that in production, so you can specify what routes/headers/origins are allowed.
You can add the CORS headers to the Errors also, in your Exception Handler:
public function render($request, Exception $e)
{
$response = parent::render($request, $e);
if ($request->is('api/*')) {
app('Barryvdh\Cors\Stack\CorsService')->addActualRequestHeaders($response, $request);
}
return $response;
}
Released under the MIT License, see LICENSE.