PHPackages andrewdyer/cors-response-emitter - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. andrewdyer/cors-response-emitter ActiveLibrary[HTTP & Networking](/categories/http) andrewdyer/cors-response-emitter ================================ A CORS-aware response emitter for Slim Framework applications, designed to ensure consistent and secure HTTP responses 0.1.2(3w ago)088MITPHPPHP ^8.3CI passing Since Apr 7Pushed 3w agoCompare [ Source](https://github.com/andrewdyer/cors-response-emitter)[ Packagist](https://packagist.org/packages/andrewdyer/cors-response-emitter)[ Docs](https://github.com/andrewdyer/cors-response-emitter)[ RSS](/packages/andrewdyer-cors-response-emitter/feed)WikiDiscussions main Synced 2w ago READMEChangelog (3)Dependencies (8)Versions (4)Used By (0) CORS Response Emitter ===================== [](#cors-response-emitter) A CORS-aware response emitter for [Slim Framework](https://www.slimframework.com/) applications, designed to ensure consistent and secure HTTP responses. [![Latest Stable Version](https://camo.githubusercontent.com/41b57e63aafc4b782765d9967ac550d5ed94d360682342d3ada1a20b81e96cd7/687474703a2f2f706f7365722e707567782e6f72672f616e64726577647965722f636f72732d726573706f6e73652d656d69747465722f763f7374796c653d666c61742d737175617265)](https://packagist.org/packages/andrewdyer/cors-response-emitter)[![Total Downloads](https://camo.githubusercontent.com/ea190ca5be51c9514f581a82ed6bca5cabb241cb221f32f034397b188d831613/687474703a2f2f706f7365722e707567782e6f72672f616e64726577647965722f636f72732d726573706f6e73652d656d69747465722f646f776e6c6f6164733f7374796c653d666c61742d737175617265)](https://packagist.org/packages/andrewdyer/cors-response-emitter)[![License](https://camo.githubusercontent.com/49d372260cf08bdac735e48be0935b0fa1f9139039e4d212fa04dde129d0f897/687474703a2f2f706f7365722e707567782e6f72672f616e64726577647965722f636f72732d726573706f6e73652d656d69747465722f6c6963656e73653f7374796c653d666c61742d737175617265)](https://packagist.org/packages/andrewdyer/cors-response-emitter)[![PHP Version Require](https://camo.githubusercontent.com/9f2332cb9e43f14227d3812bb2ad2db26f740598e0436d647e50756d1f9e18e3/687474703a2f2f706f7365722e707567782e6f72672f616e64726577647965722f636f72732d726573706f6e73652d656d69747465722f726571756972652f7068703f7374796c653d666c61742d737175617265)](https://packagist.org/packages/andrewdyer/cors-response-emitter) Introduction ------------ [](#introduction) This library emits HTTP responses with consistent CORS and cache-control headers. It validates the incoming `Origin` against an explicit allowlist and emits credentialed CORS headers only for trusted origins. For public APIs, wildcard origins may be used to allow cross-origin access without credentials. Prerequisites ------------- [](#prerequisites) - **[PHP](https://www.php.net/)**: Version 8.3 or higher is required. - **[Composer](https://getcomposer.org/)**: Dependency management tool for PHP. - **[Slim Framework](https://www.slimframework.com/)**: Version 4 is required. Installation ------------ [](#installation) ``` composer require andrewdyer/cors-response-emitter ``` Getting Started --------------- [](#getting-started) The examples below demonstrate how to configure the emitter and emit a Slim response with CORS headers. ### 1. Configure trusted origins [](#1-configure-trusted-origins) Provide an allowlist of origins that may receive credentialed CORS responses. ``` use AndrewDyer\CorsResponseEmitter\CorsResponseEmitter; $emitter = new CorsResponseEmitter([ 'https://app.example.com', 'https://admin.example.com', ]); ``` ### 2. Emit the response [](#2-emit-the-response) After Slim handles the request, pass the response to the emitter. ``` $emitter->emit($response); ``` Usage ----- [](#usage) The emitter resolves CORS headers from the request origin and allowlist configuration: Scenario`Access-Control-Allow-Origin``Access-Control-Allow-Credentials``Vary`Request origin matches an explicit allowlist entryReflected origin (e.g. `https://app.example.com`)`true``Origin``"*"` in allowlist, no explicit match`*`*(omitted)**(omitted)*No match and no wildcard allowlist entry*(omitted)**(omitted)**(omitted)*### Allow exact origins [](#allow-exact-origins) Use explicit origins when endpoints need credentialed cross-origin requests. ``` use AndrewDyer\CorsResponseEmitter\CorsResponseEmitter; $emitter = new CorsResponseEmitter([ 'https://app.example.com', 'https://admin.example.com', ]); $emitter->emit($response); ``` ### Allow any origin for public APIs [](#allow-any-origin-for-public-apis) A wildcard origin (`"*"`) may be configured as an allowlist entry to permit requests from any origin. This is suitable for fully public, unauthenticated APIs: ``` use AndrewDyer\CorsResponseEmitter\CorsResponseEmitter; $emitter = new CorsResponseEmitter(['*']); $emitter->emit($response); ``` ### Combine exact and wildcard origins [](#combine-exact-and-wildcard-origins) Explicit origins and `"*"` may be combined. An exact match always takes precedence and receives the credentialed response. Requests from any other origin fall back to the uncredentialed wildcard response: ``` use AndrewDyer\CorsResponseEmitter\CorsResponseEmitter; $emitter = new CorsResponseEmitter([ '*', 'https://app.example.com', // receives credentialed response ]); $emitter->emit($response); ``` Important: the [CORS specification](https://fetch.spec.whatwg.org/#cors-protocol-and-credentials) forbids sending `Access-Control-Allow-Credentials: true` with `Access-Control-Allow-Origin: *`. If an endpoint requires cookies, HTTP authentication, or client certificates, use explicit origins. Complete Example ---------------- [](#complete-example) The following example combines Slim setup, request handling, and CORS-aware response emission: ```