Skip to content

fruitcake/php-cors

5 Branches11 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

barryvdhbarryvdh
Bump phpstan to 2.x and level up to 10 (#33)
Mar 13, 2025
0eaf5f5 · Mar 13, 2025

History

181 Commits
.github
.github
Oct 30, 2024
src
src
Mar 13, 2025
tests
tests
Mar 13, 2025
.gitattributes
.gitattributes
Aug 15, 2020
.gitignore
.gitignore
Jan 3, 2022
CHANGELOG.md
CHANGELOG.md
Apr 9, 2024
LICENSE
LICENSE
Feb 18, 2022
README.md
README.md
Mar 13, 2025
composer.json
composer.json
Mar 13, 2025
phpunit.xml.dist
phpunit.xml.dist
Feb 19, 2022

Repository files navigation

CORS for PHP (using the Symfony HttpFoundation)

Unit Tests PHPStan Level 9 Code Coverage Packagist License Latest Stable Version Total Downloads Fruitcake

Library and middleware enabling cross-origin resource sharing for your http-{foundation,kernel} using application. It attempts to implement the W3C Recommendation for cross-origin resource sharing.

Note: This is a standalone fork of https://github.com/asm89/stack-cors and is compatible with the options for CorsService.

Installation

Require fruitcake/php-cors using composer.

Usage

This package can be used as a library. You can use it in your framework using:

Options

Option Description Default value
allowedMethods Matches the request method. []
allowedOrigins Matches the request origin. []
allowedOriginsPatterns Matches the request origin with preg_match. []
allowedHeaders Sets the Access-Control-Allow-Headers response header. []
exposedHeaders Sets the Access-Control-Expose-Headers response header. []
maxAge Sets the Access-Control-Max-Age response header. 0
supportsCredentials Sets the Access-Control-Allow-Credentials header. false

The allowedMethods and allowedHeaders options are case-insensitive.

You don't need to provide both allowedOrigins and allowedOriginsPatterns. If one of the strings passed matches, it is considered a valid origin. A wildcard in allowedOrigins will be converted to a pattern.

If ['*'] is provided to allowedMethods, allowedOrigins or allowedHeaders all methods / origins / headers are allowed.

Note: Allowing a single static origin will improve cacheability.

Example: using the library

<?php

use Fruitcake\Cors\CorsService;

$cors = new CorsService([
    'allowedHeaders'         => ['x-allowed-header', 'x-other-allowed-header'],
    'allowedMethods'         => ['DELETE', 'GET', 'POST', 'PUT'],
    'allowedOrigins'         => ['http://localhost', 'https://*.example.com'],
    'allowedOriginsPatterns' => ['/localhost:\d/'],
    'exposedHeaders'         => ['Content-Encoding'],
    'maxAge'                 => 0,
    'supportsCredentials'    => false,
]);

$cors->addActualRequestHeaders(Response $response, $origin);
$cors->handlePreflightRequest(Request $request);
$cors->isActualRequestAllowed(Request $request);
$cors->isCorsRequest(Request $request);
$cors->isPreflightRequest(Request $request);

License

Released under the MIT License, see LICENSE.

This package is split-off from https://github.com/asm89/stack-cors and developed as stand-alone library since 2022

About

CORS (Cross-Origin Resource Sharing) for your Symfony/Laravel requests

Topics

php cors laravel symfony hacktoberfest

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

269 stars

Watchers

4 watching

Forks

16 forks
Report repository

Releases 9

v1.3.0 Latest
Oct 12, 2023
+ 8 releases

Sponsor this project

Learn more about GitHub Sponsors

Used by 1.1m

  • @bepplinh
  • @JonaNicovb
  • @matcho14
  • @SoufOuardi
  • @dinoarr
  • @SheenyKates
  • @AprilPatch
  • @vernonthedev
+ 1,091,733

Contributors 18

+ 4 contributors

Languages