spatie / laravel-cors

Send CORS headers in a Laravel application
https://spatie.be/en/opensource/laravel
MIT License
603 stars 59 forks source link
api cors javascript php request

Notice

We have abandoned this package because Laravel 7 introduced native support for CORS. Only use this package if you're on Laravel 6 or below.

Send CORS headers in a Laravel application

Latest Version on Packagist Build Status Quality Score StyleCI Total Downloads

This package will add CORS headers to the responses of your Laravel or Lumen app. For more infomation about CORS, see the Mozilla CORS documentation.

This package supports preflight requests and is easily configurable to fit your needs.

Installation

Laravel

You can install the package via Composer:

composer require spatie/laravel-cors

The package will automatically register its service provider.

The provided Spatie\Cors\Cors middleware must be registered in the global middleware group.

// app/Http/Kernel.php

protected $middleware = [
    ...
    \Spatie\Cors\Cors::class
];
php artisan vendor:publish --provider="Spatie\Cors\CorsServiceProvider" --tag="config"

This is the default content of the config file published at config/cors.php:

return [
    /*
     * A cors profile determines which origins, methods, headers are allowed for
     * a given requests. The `DefaultProfile` reads its configuration from this
     * config file.
     *
     * You can easily create your own cors profile.
     * More info: https://github.com/spatie/laravel-cors/#creating-your-own-cors-profile
     */
    'cors_profile' => Spatie\Cors\CorsProfile\DefaultProfile::class,

    /*
     * This configuration is used by `DefaultProfile`.
     */
    'default_profile' => [

        'allow_credentials' => false,

        'allow_origins' => [
            '*',
        ],

        'allow_methods' => [
            'POST',
            'GET',
            'OPTIONS',
            'PUT',
            'PATCH',
            'DELETE',
        ],

        'allow_headers' => [
            'Content-Type',
            'X-Auth-Token',
            'Origin',
            'Authorization',
        ],

        'expose_headers' => [
            'Cache-Control',
            'Content-Language',
            'Content-Type',
            'Expires',
            'Last-Modified',
            'Pragma',
        ],

        'forbidden_response' => [
            'message' => 'Forbidden (cors).',
            'status' => 403,
        ],

        /*
         * Preflight request will respond with value for the max age header.
         */
        'max_age' => 60 * 60 * 24,
    ],
];

Lumen

You can install the package via Composer:

composer require spatie/laravel-cors

Copy the config file from the vendor directory:

cp vendor/spatie/laravel-cors/config/cors.php config/cors.php

Register the config file, the middleware and the service provider in bootstrap/app.php:

$app->configure('cors');

$app->middleware([
    Spatie\Cors\Cors::class,
]);

$app->register(Spatie\Cors\CorsServiceProvider::class);

Usage

With the middleware installed your API routes should now get appropriate CORS headers. Preflight requests will be handled as well. If a request comes in that is not allowed, Laravel will return a 403 response.

The default configuration of this package allows all requests from any origin (denoted as '*'). You probably want to at least specify some origins relevant to your project. If you want to allow requests to come in from https://spatie.be and https://laravel.com add those domains to the config file:

// config/cors.php

    ...
    'default_profile' => [

    'allow_origins' => [
        'https://spatie.be',
        'https://laravel.com',
    ],
    ...
...

If you, for example, want to allow all subdomains from a specific domain, you can use the wildcard asterisk (*) and specifiy that:

// config/cors.php

    ...
    'default_profile' => [

    'allow_origins' => [
        'https://spatie.be',
        'https://laravel.com',

        'https://*.spatie.be',
        'https://*.laravel.com',
    ],
    ...
...

Creating your own CORS profile

Imagine you want to specify allowed origins based on the user that is currently logged in. In that case the DefaultProfile which just reads the config file won't cut it. Fortunately it's very easy to write your own CORS profile, which is simply a class that extends Spatie\Cors\DefaultProfile.

Here's a quick example where it is assumed that you've already added an allowed_domains column on your user model:

namespace App\Services\Cors;

use Spatie\Cors\CorsProfile\DefaultProfile;

class UserBasedCorsProfile extends DefaultProfile
{
    public function allowOrigins(): array
    {
        return Auth::user()->allowed_domains;
    }
}

You can override the default HTTP status code and message returned when a request is forbidden by editing the forbidden_response array in your configuration file:

'forbidden_response' => [
    'message' => 'Your request failed',
    'status' => 400,
],

Don't forget to register your profile in the config file.

// config/cors.php

 ...
 'cors_profile' => App\Services\Cors\UserBasedCorsProfile::class,
 ...

In the example above we've overwritten the allowOrigins method, but of course you may choose to override any of the methods present in DefaultProfile.

Testing

composer test

Changelog

Please see CHANGELOG for more information what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email freek@spatie.be instead of using the issue tracker.

Alternatives

Postcardware

You're free to use this package, but if it makes it to your production environment we highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using.

Our address is: Spatie, Samberstraat 69D, 2060 Antwerp, Belgium.

We publish all received postcards on our company website.

Credits

Support us

Spatie is a webdesign agency based in Antwerp, Belgium. You'll find an overview of all our open source projects on our website.

Does your business depend on our contributions? Reach out and support us on Patreon. All pledges will be dedicated to allocating workforce on maintenance and new awesome stuff.

License

The MIT License (MIT). Please see License File for more information.