CORS Setup

Configure Cross-Origin Resource Sharing (CORS) to allow your API to be accessed from different domains.

Basic CORS Setup

1. Enable CORS in Environment

Add CORS configuration to your .env file:

# Enable CORS
CORS_ENABLED=true

# Allow specific origins
CORS_ALLOWED_ORIGINS=https://baseapp.com,https://baseapp.dev

# Configure allowed methods and headers
CORS_ALLOWED_METHODS=GET, POST, PUT, DELETE, OPTIONS
CORS_ALLOWED_HEADERS=Content-Type, Authorization, X-Requested-With

# Enable credentials if needed
CORS_ALLOW_CREDENTIALS=true

# Cache preflight for 24 hours
CORS_MAX_AGE=86400

2. Router Handles CORS Automatically

The Router automatically handles CORS when enabled. No additional code needed:

<?php
require 'vendor/autoload.php';

use Stilmark\Base\Env;
use Stilmark\Base\Router;

// Load environment (includes CORS config)
Env::load(__DIR__ . '/.env');

// Router handles CORS preflight automatically
$router = new Router();
$router->dispatch();

CORS Configuration Examples

Development Setup

Allow localhost and development domains:

CORS_ENABLED=true
CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8080,https://dev.example.com
CORS_ALLOWED_METHODS=GET, POST, PUT, DELETE, OPTIONS
CORS_ALLOWED_HEADERS=Content-Type, Authorization, X-Requested-With, X-Debug-Token
CORS_ALLOW_CREDENTIALS=true
CORS_MAX_AGE=3600

Production Setup

Restrict to specific production domains:

CORS_ENABLED=true
CORS_ALLOWED_ORIGINS=https://app.example.com,https://admin.example.com
CORS_ALLOWED_METHODS=GET, POST, PUT, DELETE, OPTIONS
CORS_ALLOWED_HEADERS=Content-Type, Authorization
CORS_ALLOW_CREDENTIALS=true
CORS_MAX_AGE=86400

Wildcard Subdomain Setup

Allow all subdomains of a domain:

CORS_ENABLED=true
CORS_ALLOWED_ORIGINS=https://*.example.com
CORS_ALLOWED_METHODS=GET, POST, OPTIONS
CORS_ALLOWED_HEADERS=Content-Type, Authorization
CORS_ALLOW_CREDENTIALS=false
CORS_MAX_AGE=86400

Frontend Integration

JavaScript Fetch API

// Simple request (no preflight needed)
fetch('https://api.example.com/users', {
    method: 'GET',
    headers: {
        'Content-Type': 'application/json'
    }
})
.then(response => response.json())
.then(data => console.log(data));

// Complex request (triggers preflight)
fetch('https://api.example.com/users', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer token123'
    },
    credentials: 'include', // Send cookies
    body: JSON.stringify({
        name: 'John Doe',
        email: 'john@example.com'
    })
})
.then(response => response.json())
.then(data => console.log(data));

Axios Configuration

// Configure axios defaults
axios.defaults.withCredentials = true;
axios.defaults.headers.common['Content-Type'] = 'application/json';

// Make requests
axios.post('https://api.example.com/users', {
    name: 'John Doe',
    email: 'john@example.com'
}, {
    headers: {
        'Authorization': 'Bearer token123'
    }
})
.then(response => console.log(response.data));

CORS Headers Explained

Response Headers Set by Base

When CORS is enabled, Base automatically sets these headers:

Access-Control-Allow-Origin: https://baseapp.com
Vary: Origin
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400

Preflight Request Flow

Browser sends OPTIONS request:

OPTIONS /api/users HTTP/1.1
Origin: https://baseapp.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type, Authorization

Base responds with CORS headers:

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://baseapp.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With
Access-Control-Max-Age: 86400

Browser makes actual request:

POST /api/users HTTP/1.1
Origin: https://baseapp.com
Content-Type: application/json
Authorization: Bearer token123

Security Considerations

Origin Validation

Always specify exact origins in production:

# Good: Specific origins
CORS_ALLOWED_ORIGINS=https://app.example.com,https://admin.example.com

# Avoid: Wildcard in production
CORS_ALLOWED_ORIGINS=*

Credentials Handling

Only enable credentials when necessary:

# Enable only if you need cookies/auth headers
CORS_ALLOW_CREDENTIALS=true

# Disable for public APIs
CORS_ALLOW_CREDENTIALS=false

Header Restrictions

Limit allowed headers to what you actually need:

# Minimal headers for simple APIs
CORS_ALLOWED_HEADERS=Content-Type

# Extended headers for complex apps
CORS_ALLOWED_HEADERS=Content-Type, Authorization, X-Requested-With, X-API-Key

Troubleshooting CORS

Common Issues

CORS not working:
- Check CORS_ENABLED=true in .env
- Verify origin is in CORS_ALLOWED_ORIGINS
- Ensure no trailing slashes in origins
Preflight failing:
- Check OPTIONS is in CORS_ALLOWED_METHODS
- Verify all request headers are in CORS_ALLOWED_HEADERS
Credentials not working:
- Set CORS_ALLOW_CREDENTIALS=true
- Cannot use wildcard origin with credentials
- Frontend must set credentials: 'include'

Debug CORS Issues

Add debug logging to see CORS processing:

// In development environment
if (Env::get('APP_ENV') === 'development') {
    error_log('CORS Origin: ' . ($_SERVER['HTTP_ORIGIN'] ?? 'none'));
    error_log('CORS Enabled: ' . Env::get('CORS_ENABLED', 'false'));
    error_log('Allowed Origins: ' . Env::get('CORS_ALLOWED_ORIGINS', ''));
}

Browser Developer Tools

Check the Network tab for:

Preflight OPTIONS request
CORS headers in response
Console errors about CORS policy

Testing CORS

Manual Testing with cURL

Test preflight request:

curl -X OPTIONS \
  -H "Origin: https://baseapp.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: Content-Type, Authorization" \
  -v \
  https://api.example.com/users

Test actual request:

curl -X POST \
  -H "Origin: https://baseapp.com" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer token123" \
  -d '{"name":"John","email":"john@example.com"}' \
  -v \
  https://api.example.com/users

Automated Testing

public function testCorsHeaders()
{
    Env::set('CORS_ENABLED', 'true');
    Env::set('CORS_ALLOWED_ORIGINS', 'https://baseapp.com');
    
    $_SERVER['HTTP_ORIGIN'] = 'https://baseapp.com';
    $_SERVER['REQUEST_METHOD'] = 'OPTIONS';
    
    ob_start();
    Router::dispatch();
    $output = ob_get_clean();
    
    $this->assertEquals(204, http_response_code());
    $this->assertStringContainsString('Access-Control-Allow-Origin: https://baseapp.com', $output);
}

PreviousRoute Protection with Middleware NextGetting Started with Testing

Last updated 4 months ago

hashtagBasic CORS Setup

hashtag1. Enable CORS in Environment

hashtag2. Router Handles CORS Automatically

hashtagCORS Configuration Examples

hashtagDevelopment Setup

hashtagProduction Setup

hashtagWildcard Subdomain Setup

hashtagFrontend Integration

hashtagJavaScript Fetch API

hashtagAxios Configuration

hashtagCORS Headers Explained

hashtagResponse Headers Set by Base

hashtagPreflight Request Flow

hashtagSecurity Considerations

hashtagOrigin Validation

hashtagCredentials Handling

hashtagHeader Restrictions

hashtagTroubleshooting CORS

hashtagCommon Issues

hashtagDebug CORS Issues

hashtagBrowser Developer Tools

hashtagTesting CORS

hashtagManual Testing with cURL

hashtagAutomated Testing