We have abandoned this package because Laravel 7 introduced native support for CORS. Only use this package if you're on Laravel 6 or below.
This package will add CORS headers to the responses of your Laravel or Lumen app. For more infomation about CORS, see the Mozilla CORS documentation.
This package supports preflight requests and is easily configurable to fit your needs.
You can install the package via Composer:
composer require spatie/laravel-cors
The package will automatically register its service provider.
The provided Spatie\Cors\Cors
middleware must be registered in the global middleware group.
// app/Http/Kernel.php
protected $middleware = [
...
\Spatie\Cors\Cors::class
];
php artisan vendor:publish --provider="Spatie\Cors\CorsServiceProvider" --tag="config"
This is the default content of the config file published at config/cors.php
:
return [
/*
* A cors profile determines which origins, methods, headers are allowed for
* a given requests. The `DefaultProfile` reads its configuration from this
* config file.
*
* You can easily create your own cors profile.
* More info: https://github.com/spatie/laravel-cors/#creating-your-own-cors-profile
*/
'cors_profile' => Spatie\Cors\CorsProfile\DefaultProfile::class,
/*
* This configuration is used by `DefaultProfile`.
*/
'default_profile' => [
'allow_credentials' => false,
'allow_origins' => [
'*',
],
'allow_methods' => [
'POST',
'GET',
'OPTIONS',
'PUT',
'PATCH',
'DELETE',
],
'allow_headers' => [
'Content-Type',
'X-Auth-Token',
'Origin',
'Authorization',
],
'expose_headers' => [
'Cache-Control',
'Content-Language',
'Content-Type',
'Expires',
'Last-Modified',
'Pragma',
],
'forbidden_response' => [
'message' => 'Forbidden (cors).',
'status' => 403,
],
/*
* Preflight request will respond with value for the max age header.
*/
'max_age' => 60 * 60 * 24,
],
];
You can install the package via Composer:
composer require spatie/laravel-cors
Copy the config file from the vendor directory:
cp vendor/spatie/laravel-cors/config/cors.php config/cors.php
Register the config file, the middleware and the service provider in bootstrap/app.php
:
$app->configure('cors');
$app->middleware([
Spatie\Cors\Cors::class,
]);
$app->register(Spatie\Cors\CorsServiceProvider::class);
With the middleware installed your API routes should now get appropriate CORS headers. Preflight requests will be handled as well. If a request comes in that is not allowed, Laravel will return a 403
response.
The default configuration of this package allows all requests from any origin (denoted as '*'
). You probably want to at least specify some origins relevant to your project. If you want to allow requests to come in from https://spatie.be
and https://laravel.com
add those domains to the config file:
// config/cors.php
...
'default_profile' => [
'allow_origins' => [
'https://spatie.be',
'https://laravel.com',
],
...
...
If you, for example, want to allow all subdomains from a specific domain, you can use the wildcard asterisk (*
) and specifiy that:
// config/cors.php
...
'default_profile' => [
'allow_origins' => [
'https://spatie.be',
'https://laravel.com',
'https://*.spatie.be',
'https://*.laravel.com',
],
...
...
Imagine you want to specify allowed origins based on the user that is currently logged in. In that case the DefaultProfile
which just reads the config file won't cut it. Fortunately it's very easy to write your own CORS profile, which is simply a class that extends Spatie\Cors\DefaultProfile
.
Here's a quick example where it is assumed that you've already added an allowed_domains
column on your user model:
namespace App\Services\Cors;
use Spatie\Cors\CorsProfile\DefaultProfile;
class UserBasedCorsProfile extends DefaultProfile
{
public function allowOrigins(): array
{
return Auth::user()->allowed_domains;
}
}
You can override the default HTTP status code and message returned when a request is forbidden by editing the forbidden_response
array in your configuration file:
'forbidden_response' => [
'message' => 'Your request failed',
'status' => 400,
],
Don't forget to register your profile in the config file.
// config/cors.php
...
'cors_profile' => App\Services\Cors\UserBasedCorsProfile::class,
...
In the example above we've overwritten the allowOrigins
method, but of course you may choose to override any of the methods present in DefaultProfile
.
composer test
Please see CHANGELOG for more information what has changed recently.
Please see CONTRIBUTING for details.
If you discover any security related issues, please email freek@spatie.be instead of using the issue tracker.
- barryvdh/laravel-cors: a tried and tested package. Our package is a modern rewrite of the basic features of Barry's excellent one. We created our own solution because we needed our configuration to be very flexible.
You're free to use this package, but if it makes it to your production environment we highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using.
Our address is: Spatie, Samberstraat 69D, 2060 Antwerp, Belgium.
We publish all received postcards on our company website.
Spatie is a webdesign agency based in Antwerp, Belgium. You'll find an overview of all our open source projects on our website.
Does your business depend on our contributions? Reach out and support us on Patreon. All pledges will be dedicated to allocating workforce on maintenance and new awesome stuff.
The MIT License (MIT). Please see License File for more information.