DEV Community

Pradeep Kumar
Pradeep Kumar

Posted on • Updated on

Solved: Laravel Cors Issue

Updated 2024-04-16

Create a middleware at app\Http\Middleware\SecurityHeaders.php:

<?php

namespace App\Http\Middleware;

use Closure;

class SecurityHeaders
{
    private $unwantedHeaders = ['X-Powered-By', 'server', 'Server'];

    /**
     * @param $request
     * @param  Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $response = $next($request);

        if (env('APP_ENV') === 'production'
            || env('APP_ENV') === 'develop'
            || env('APP_ENV') === 'staging' ) {
            $response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade');
            $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
            /*
             * WARNING: This exposes the document to many exploits.
             * You must update 'Content-Security-Policy'
             */
            $response->headers->set('Content-Security-Policy', "default-src * self blob: data: gap:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; img-src * self 'unsafe-inline' blob: data: gap:; connect-src self * 'unsafe-inline' blob: data: gap:; frame-src * self blob: data: gap:;");
            $response->headers->set('Permissions-Policy', 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()');
            $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
            $response->headers->set('X-Content-Type-Options', 'nosniff');

            $this->removeUnwantedHeaders($this->unwantedHeaders);
        }

        return $response;
    }

    /**
     * @param $headers
     */
    private function removeUnwantedHeaders($headers): void
    {
        foreach ($headers as $header) {
            header_remove($header);
        }
    }
}


Enter fullscreen mode Exit fullscreen mode

Laravel 10

If config/cors.php not working, then simply add following to your public/index.php:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: *');
header("Access-Control-Allow-Headers: *");
Enter fullscreen mode Exit fullscreen mode

and update config/cors.php to

'allowed_origins' => [],
Enter fullscreen mode Exit fullscreen mode

Laravel 9 and lower

Step 1. Add \Fruitcake\Cors\HandleCors::class, in app/Http/Middleware/Kernel.php in $middleware array

eg:

protected $middleware = [
        ...
        \Fruitcake\Cors\HandleCors::class,
        ...
    ];
Enter fullscreen mode Exit fullscreen mode

Step 2. Add cors.php file in config folder and write following code:

<?php

return [
    'paths' => ['api/*', 'sanctum/csrf-cookie'],

    'allowed_methods' => ['*'],

    'allowed_origins' => ['*'],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => [],

    'max_age' => 0,

    'supports_credentials' => false,

];

Enter fullscreen mode Exit fullscreen mode

Top comments (0)