Laravel Version
12
PHP Version
8.4.20
Database Driver & Version
MySql 8.4.5 on Windows
Description
When Maintenance-Mode is on, with a pre-rendered page, no CORS headers are in the response.
When the website is down during maintenance and emitting 503 Service Unavailable, it makes no sense to restrict output by omitting CORS headers. The "website down" message is a public message that must be visible to everyone, including ajax/xmlhttp requests.
Not returning a JSON response is totally fine. The 503 Service Unavailable http response status is enough.
Set maintenance mode on creates storage/framework/maintenance.php from https://github.com/laravel/framework/blob/13.x/src/Illuminate/Foundation/Console/stubs/maintenance-mode.stub When using a pre-rendered html page, this stub does not set any CORS header.
Please consider updating the stub with:
- For an CORS pre-flight OPTIONS request (has request-header Access-Control-Request-Method)
header('Cache-Control: private, max-age=1');
header('Expires: '.gmdate('D, d M Y H:i:s \G\M\T', time() + (1)));
header('Access-Control-Max-Age: 1');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: *');
header('Access-Control-Allow-Headers: Authorization, Content-Type, Content-Encoding, Accept-Encoding, Transfer-Encoding');
header('Access-Control-Expose-Headers: WWW-Authenticate, Content-Type, Content-Encoding, Content-Disposition, Transfer-Encoding, Expires, Cache-Control, Pragma, Date');
header('Access-Control-Allow-Origin: *');
Steps To Reproduce
- Create file resources/views/layouts/maintenance.blade.php, see attachment.
- Set maintenance mode on with
Artisan::call('down', ['--render' => 'layouts/maintenance'])
- Perform an api request from another domain. Observe the following error in the Browser console
index.html:1 Access to XMLHttpRequest at 'https:/../api/...?time=7-5-2026%2011:54:15' from origin 'https://...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Laravel Version
12
PHP Version
8.4.20
Database Driver & Version
MySql 8.4.5 on Windows
Description
When Maintenance-Mode is on, with a pre-rendered page, no CORS headers are in the response.
When the website is down during maintenance and emitting 503 Service Unavailable, it makes no sense to restrict output by omitting CORS headers. The "website down" message is a public message that must be visible to everyone, including ajax/xmlhttp requests.
Not returning a JSON response is totally fine. The 503 Service Unavailable http response status is enough.
Set maintenance mode on creates storage/framework/maintenance.php from https://github.com/laravel/framework/blob/13.x/src/Illuminate/Foundation/Console/stubs/maintenance-mode.stub When using a pre-rendered html page, this stub does not set any CORS header.
Please consider updating the stub with:
Steps To Reproduce
Artisan::call('down', ['--render' => 'layouts/maintenance'])