PHPackages andrewdyer/cors-response-emitter - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. andrewdyer/cors-response-emitter ActiveLibrary[HTTP & Networking](/categories/http) andrewdyer/cors-response-emitter ================================ A CORS-aware response emitter for Slim Framework applications, designed to ensure consistent and secure HTTP responses 0.1.0(1mo ago)011↓100%MITPHPPHP ^8.3CI passing Since Apr 7Pushed 1mo agoCompare [ Source](https://github.com/andrewdyer/cors-response-emitter)[ Packagist](https://packagist.org/packages/andrewdyer/cors-response-emitter)[ RSS](/packages/andrewdyer-cors-response-emitter/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (4)Versions (2)Used By (0) [![CORS Response Emitter](https://camo.githubusercontent.com/bbdf8d01eefc61ff56f3a46b736add0c5c2f67f6d24af8f7fa986de49b4e1162/68747470733a2f2f7075626c69632d6173736574732e616e64726577647965722e726f636b732f696d616765732f636f766572732f636f72732d726573706f6e73652d656d69747465722e706e67)](https://camo.githubusercontent.com/bbdf8d01eefc61ff56f3a46b736add0c5c2f67f6d24af8f7fa986de49b4e1162/68747470733a2f2f7075626c69632d6173736574732e616e64726577647965722e726f636b732f696d616765732f636f766572732f636f72732d726573706f6e73652d656d69747465722e706e67) [![Latest Stable Version](https://camo.githubusercontent.com/6d94339c9a22120c9b843aa1b49c5e5eaed52b45df8e33a6be21645b883f8125/68747470733a2f2f706f7365722e707567782e6f72672f616e64726577647965722f636f72732d726573706f6e73652d656d69747465722f762f737461626c653f7374796c653d666f722d7468652d6261646765)](https://packagist.org/packages/andrewdyer/cors-response-emitter) [![Total Downloads](https://camo.githubusercontent.com/febf6c0fa296fd3f741bd7dd9d1af9927aa17630e7bec0ba3be84efbed8e6f44/68747470733a2f2f706f7365722e707567782e6f72672f616e64726577647965722f636f72732d726573706f6e73652d656d69747465722f646f776e6c6f6164733f7374796c653d666f722d7468652d6261646765)](https://packagist.org/packages/andrewdyer/cors-response-emitter) [![License](https://camo.githubusercontent.com/70d98d243fa1aa434935dae26ffab516cf99f412e7b145bb26299748c4461848/68747470733a2f2f706f7365722e707567782e6f72672f616e64726577647965722f636f72732d726573706f6e73652d656d69747465722f6c6963656e73653f7374796c653d666f722d7468652d6261646765)](https://packagist.org/packages/andrewdyer/cors-response-emitter) [![PHP Version Required](https://camo.githubusercontent.com/93e47aa693a43ab4ab4803650318b98a0638e688453975a9117a7532a1b3d1d6/68747470733a2f2f706f7365722e707567782e6f72672f616e64726577647965722f636f72732d726573706f6e73652d656d69747465722f726571756972652f7068703f7374796c653d666f722d7468652d6261646765)](https://packagist.org/packages/andrewdyer/cors-response-emitter) CORS Response Emitter ===================== [](#cors-response-emitter) A CORS-aware response emitter for [Slim Framework](https://www.slimframework.com/) applications, designed to ensure consistent and secure HTTP responses. Introduction ------------ [](#introduction) This library emits HTTP responses with consistent CORS and cache-control headers. It validates the incoming `Origin` against an explicit allowlist and emits credentialed CORS headers only for trusted origins. For public APIs, wildcard origins may be used to allow cross-origin access without credentials. Prerequisites ------------- [](#prerequisites) - **[PHP](https://www.php.net/)**: Version 8.3 or higher is required. - **[Composer](https://getcomposer.org/)**: Dependency management tool for PHP. - **[Slim Framework](https://www.slimframework.com/)**: Version 4 is required. Installation ------------ [](#installation) ``` composer require andrewdyer/cors-response-emitter ``` Getting Started --------------- [](#getting-started) The examples below demonstrate how to configure the emitter and emit a Slim response with CORS headers. ### 1. Configure trusted origins [](#1-configure-trusted-origins) Provide an allowlist of origins that may receive credentialed CORS responses. ``` use AndrewDyer\CorsResponseEmitter\CorsResponseEmitter; $emitter = new CorsResponseEmitter([ 'https://app.example.com', 'https://admin.example.com', ]); ``` ### 2. Emit the response [](#2-emit-the-response) After Slim handles the request, pass the response to the emitter. ``` $emitter->emit($response); ``` Usage ----- [](#usage) The emitter resolves CORS headers from the request origin and allowlist configuration: Scenario`Access-Control-Allow-Origin``Access-Control-Allow-Credentials``Vary`Request origin matches an explicit allowlist entryReflected origin (e.g. `https://app.example.com`)`true``Origin``"*"` in allowlist, no explicit match`*`*(omitted)**(omitted)*No match and no wildcard allowlist entry*(omitted)**(omitted)**(omitted)*### Allow exact origins [](#allow-exact-origins) Use explicit origins when endpoints need credentialed cross-origin requests. ``` use AndrewDyer\CorsResponseEmitter\CorsResponseEmitter; $emitter = new CorsResponseEmitter([ 'https://app.example.com', 'https://admin.example.com', ]); $emitter->emit($response); ``` ### Allow any origin for public APIs [](#allow-any-origin-for-public-apis) A wildcard origin (`"*"`) may be configured as an allowlist entry to permit requests from any origin. This is suitable for fully public, unauthenticated APIs: ``` use AndrewDyer\CorsResponseEmitter\CorsResponseEmitter; $emitter = new CorsResponseEmitter(['*']); $emitter->emit($response); ``` ### Combine exact and wildcard origins [](#combine-exact-and-wildcard-origins) Explicit origins and `"*"` may be combined. An exact match always takes precedence and receives the credentialed response. Requests from any other origin fall back to the uncredentialed wildcard response: ``` use AndrewDyer\CorsResponseEmitter\CorsResponseEmitter; $emitter = new CorsResponseEmitter([ '*', 'https://app.example.com', // receives credentialed response ]); $emitter->emit($response); ``` Important: the [CORS specification](https://fetch.spec.whatwg.org/#cors-protocol-and-credentials) forbids sending `Access-Control-Allow-Credentials: true` with `Access-Control-Allow-Origin: *`. If an endpoint requires cookies, HTTP authentication, or client certificates, use explicit origins. Complete Example ---------------- [](#complete-example) The following example combines Slim setup, request handling, and CORS-aware response emission: ```