PHPackages andrewdyer/slim-cors-response-emitter - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. andrewdyer/slim-cors-response-emitter ActiveLibrary[HTTP & Networking](/categories/http) andrewdyer/slim-cors-response-emitter ===================================== A CORS-aware response emitter for Slim applications. 01PHPCI passing Since Mar 14Pushed 1mo agoCompare [ Source](https://github.com/andrewdyer/slim-cors-response-emitter)[ Packagist](https://packagist.org/packages/andrewdyer/slim-cors-response-emitter)[ RSS](/packages/andrewdyer-slim-cors-response-emitter/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependenciesVersions (1)Used By (0) Slim CORS Response Emitter ========================== [](#slim-cors-response-emitter) A CORS-aware response emitter for Slim applications. ✨ Introduction -------------- [](#-introduction) This library emits HTTP responses with consistent CORS and cache-control headers. It validates the incoming `Origin` against an explicit allowlist and emits credentialed CORS headers only for trusted origins. For public APIs, wildcard origins may be used to allow cross-origin access without credentials. 📥 Installation -------------- [](#-installation) ``` composer require andrewdyer/slim-cors-response-emitter ``` Requires PHP 8.3 or newer. 🚀 Getting Started ----------------- [](#-getting-started) The examples below demonstrate how to configure the emitter and emit a Slim response with CORS headers. ### 1. Configure trusted origins [](#1-configure-trusted-origins) Provide an allowlist of origins that may receive credentialed CORS responses. ``` $emitter = new CorsResponseEmitter([ 'https://app.example.com', 'https://admin.example.com', ]); ``` ### 2. Emit the response [](#2-emit-the-response) After Slim handles the request, pass the response to the emitter. ``` $emitter->emit($response); ``` 🧩 Usage ------- [](#-usage) The emitter resolves CORS headers from the request origin and allowlist configuration: Scenario`Access-Control-Allow-Origin``Access-Control-Allow-Credentials``Vary`Request origin matches an explicit allowlist entryReflected origin (e.g. `https://app.example.com`)`true``Origin``"*"` in allowlist, no explicit match`*`*(omitted)**(omitted)*No match and no wildcard allowlist entry*(omitted)**(omitted)**(omitted)*### Allow exact origins [](#allow-exact-origins) Use explicit origins when endpoints need credentialed cross-origin requests. ``` $emitter = new CorsResponseEmitter([ 'https://app.example.com', 'https://admin.example.com', ]); $emitter->emit($response); ``` ### Allow any origin for public APIs [](#allow-any-origin-for-public-apis) A wildcard origin (`"*"`) may be configured as an allowlist entry to permit requests from any origin. This is suitable for fully public, unauthenticated APIs: ``` $emitter = new CorsResponseEmitter(['*']); $emitter->emit($response); ``` ### Combine exact and wildcard origins [](#combine-exact-and-wildcard-origins) Explicit origins and `"*"` may be combined. An exact match always takes precedence and receives the credentialed response. Requests from any other origin fall back to the uncredentialed wildcard response: ``` $emitter = new CorsResponseEmitter([ '*', 'https://app.example.com', // receives credentialed response ]); $emitter->emit($response); ``` Important: the [CORS specification](https://fetch.spec.whatwg.org/#cors-protocol-and-credentials) forbids sending `Access-Control-Allow-Credentials: true` with `Access-Control-Allow-Origin: *`. If an endpoint requires cookies, HTTP authentication, or client certificates, use explicit origins. 📘 Complete example ------------------ [](#-complete-example) The following example combines Slim setup, request handling, and CORS-aware response emission: ```