Skip to content
This repository has been archived by the owner on May 23, 2022. It is now read-only.


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Build Status

A CakePHP (4+) plugin for activate cors domain in your application with Middleware.

Learn more about CORS

For cake 3.3+ use branch cake-3


  • PHP version 7.2 or higher
  • CakePhp 4.0 or higher


You can install this plugin into your CakePHP application using composer.

The recommended way to install composer packages is:

composer require ozee31/cakephp-cors

Quick Start

Loading the Plugin

// In src/Application.php
public function bootstrap(): void
    // code ...

By default the plugin authorize cors for all origins, all methods and all headers and caches all for one day.


Default configuration

    'AllowOrigin' => true, // accept all origin
    'AllowCredentials' => true,
    'AllowMethods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], // accept all HTTP methods
    'AllowHeaders' => true, // accept all headers
    'ExposeHeaders' => false, // don't accept personal headers
    'MaxAge' => 86400, // cache for 1 day
    'exceptionRenderer' => 'Cors\Error\AppExceptionRenderer', // Use ExeptionRenderer class of plugin

Change config

In app.php add :

'Cors' => [
    // My Config

AllowOrigin (Access-Control-Allow-Origin)

A returned resource may have one Access-Control-Allow-Origin header, with the following syntax:

'Cors' => [
    // Accept all origins
    'AllowOrigin' => true,
    // OR
    'AllowOrigin' => '*',

    // Accept one origin
    'AllowOrigin' => ''

    // Accept many origins
    'AllowOrigin' => ['', '']

AllowCredentials (Access-Control-Allow-Credentials)

The Access-Control-Allow-Credentials header Indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.

'Cors' => [
    'AllowCredentials' => true,
    // OR
    'AllowCredentials' => false,

AllowMethods (Access-Control-Allow-Methods)

'Cors' => [
    // string
    'AllowMethods' => 'POST',
    // OR array
    'AllowMethods' => ['GET', 'POST'],

AllowHeaders (Access-Control-Allow-Headers)

The Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.

'Cors' => [
    // accept all headers
    'AllowHeaders' => true,

    // accept just authorization
    'AllowHeaders' => 'authorization',

    // accept many headers
    'AllowHeaders' => ['authorization', 'other-header'],

ExposeHeaders (Access-Control-Expose-Headers)

The Access-Control-Expose-Headers header lets a server whitelist headers that browsers are allowed to access. For example:

'Cors' => [
    // nothing
    'ExposeHeaders' => false,

    // string
    'ExposeHeaders' => 'X-My-Custom-Header',

    // array
    'ExposeHeaders' => ['X-My-Custom-Header', 'X-Another-Custom-Header'],

MaxAge (Access-Control-Max-Age)

The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples.

'Cors' => [
    // no cache
    'MaxAge' => false,

    // 1 hour
    'MaxAge' => 3600,

    // 1 day
    'MaxAge' => 86400,


This option overload default exceptionRenderer in app.php.

By default this class extends from Error.exceptionRenderer to add Cors Headers

If you don't want to overload exceptionRenderer, You must write

'Cors' => [
	'exceptionRenderer' => false

Read more