Based on https://github.com/nelmio/NelmioCorsBundle and https://github.com/asm89/stack-cors
For Laravel 4, please use the 0.2 branch!
The laravel-cors
package allows you to send Cross-Origin Resource Sharing
headers with ACL-style per-url configuration.
If you want to have have a global overview of CORS workflow, you can browse this image.
- Handles CORS pre-flight OPTIONS requests
- Adds CORS headers to your responses
The defaults
are the default values applied to all the paths
that match,
unless overridden in a specific URL configuration. This uses the same syntax as Request::is($pattern)
If you want them to apply to everything, you must define a path with *
. Use the hosts
key to restrict
the matches only to specific subdomains.
This example config contains all the possible config values with their default
values shown in the defaults
key. In paths, you see that we allow CORS
requests from any origin on /api/
. One custom header and some HTTP methods
are defined as allowed as well. Preflight requests can be cached for 3600
seconds.
Note: When using custom headers, like
X-Auth-Token
orX-Requested-With
, you must set the allowedHeaders to include those headers. You can also set it toarray('*')
to allow all custom headers.
Note: If you are explicitly whitelisting headers, you must include
Origin
or requests will fail to be recognized as CORS.
'defaults' => array(
'supportsCredentials' => false,
'allowedOrigins' => array(),
'allowedHeaders' => array(),
'allowedMethods' => array(),
'exposedHeaders' => array(),
'maxAge' => 0,
'hosts' => array(),
),
'paths' => array(
'api/*' => array(
'allowedOrigins' => array('*'),
'allowedHeaders' => array('*'),
'allowedMethods' => array('*'),
'maxAge' => 3600,
),
'*' => array(
'allowedOrigins' => array('*'),
'allowedHeaders' => array('Content-Type'),
'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
'maxAge' => 3600,
'hosts' => array('api.*'),
),
),
allowedOrigins
, allowedHeaders
and allowedMethods
can be set to array('*')
to accept any value, the
allowed methods however have to be explicitly listed.
Note: Because of http method overriding in Laravel, allowing POST methods will also enable the API users to perform PUT and DELETE requests as well.
Require the barryvdh/laravel-cors
package in your composer.json and update your dependencies.
$ composer require barryvdh/laravel-cors 0.6.x
Add the CorsServiceProvider to your config/app.php providers array:
'Barryvdh\Cors\CorsServiceProvider',
Then add the Middleware to your App Kernel:
'Barryvdh\Cors\Middleware\HandleCors',
Set the cors.paths
and cors.defaults
config in ConfigServiceProvider, or publish config/cors.php to a local config/cors.php
file.
php artisan vendor:publish --provider="Barryvdh\Cors\CorsServiceProvider"
Released under the MIT License, see LICENSE.