PHPackages spatie/laravel-cors - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [API Development](/categories/api) 4. / 5. spatie/laravel-cors Abandoned → [laravel/framework](/?search=laravel%2Fframework)ArchivedLibrary[API Development](/categories/api) spatie/laravel-cors =================== Send CORS headers in a Laravel or Lumen application 1.7.0(4y ago)5972.2M↑35.8%5714MITPHPPHP ^7.2|^8.0 Since Dec 12Pushed 4y ago12 watchersCompare [ Source](https://github.com/spatie/laravel-cors)[ Packagist](https://packagist.org/packages/spatie/laravel-cors)[ Docs](https://github.com/spatie/laravel-cors)[ RSS](/packages/spatie-laravel-cors/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (3)Versions (27)Used By (14) Notice ====== [](#notice) We have abandoned this package because Laravel 7 introduced native support for CORS. Only use this package if you're on Laravel 6 or below. Send CORS headers in a Laravel application ========================================== [](#send-cors-headers-in-a-laravel-application) [![Latest Version on Packagist](https://camo.githubusercontent.com/ecf082d4c67f76efa4e8d455a4c254b2bdf97468b89d2589a5862409246f6c5c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7370617469652f6c61726176656c2d636f72732e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/spatie/laravel-cors)[![Build Status](https://camo.githubusercontent.com/799dc1d9e3f0d5ae08ea8d0edb07643c85359bd904dd8f21b15cea6a29469ec7/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f7370617469652f6c61726176656c2d636f72732f6d61737465722e7376673f7374796c653d666c61742d737175617265)](https://travis-ci.org/spatie/laravel-cors)[![Quality Score](https://camo.githubusercontent.com/4a995ac40db95059ee94c06040aca219f7a7187e33b462b3458fed3b586298e3/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f672f7370617469652f6c61726176656c2d636f72732e7376673f7374796c653d666c61742d737175617265)](https://scrutinizer-ci.com/g/spatie/laravel-cors)[![StyleCI](https://camo.githubusercontent.com/3ae7e35623f1945184e946f627ed1ca760bbb18af0021b1a9649f213478dda45/68747470733a2f2f7374796c6563692e696f2f7265706f732f3131333935373336382f736869656c643f6272616e63683d6d6173746572)](https://styleci.io/repos/113957368)[![Total Downloads](https://camo.githubusercontent.com/68ad40e488ccfc50321ad9326b57dfd7c33344af683e476b2fa8d6fd88e46921/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f7370617469652f6c61726176656c2d636f72732e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/spatie/laravel-cors) This package will add CORS headers to the responses of your Laravel or Lumen app. For more infomation about CORS, see the [Mozilla CORS documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS). This package supports preflight requests and is easily configurable to fit your needs. Installation ------------ [](#installation) - [Laravel](#laravel) - [Lumen](#lumen) ### Laravel [](#laravel) You can install the package via Composer: ``` composer require spatie/laravel-cors ``` The package will automatically register its service provider. The provided `Spatie\Cors\Cors` middleware must be registered in the global middleware group. ``` // app/Http/Kernel.php protected $middleware = [ ... \Spatie\Cors\Cors::class ]; ``` ``` php artisan vendor:publish --provider="Spatie\Cors\CorsServiceProvider" --tag="config" ``` This is the default content of the config file published at `config/cors.php`: ``` return [ /* * A cors profile determines which origins, methods, headers are allowed for * a given requests. The `DefaultProfile` reads its configuration from this * config file. * * You can easily create your own cors profile. * More info: https://github.com/spatie/laravel-cors/#creating-your-own-cors-profile */ 'cors_profile' => Spatie\Cors\CorsProfile\DefaultProfile::class, /* * This configuration is used by `DefaultProfile`. */ 'default_profile' => [ 'allow_credentials' => false, 'allow_origins' => [ '*', ], 'allow_methods' => [ 'POST', 'GET', 'OPTIONS', 'PUT', 'PATCH', 'DELETE', ], 'allow_headers' => [ 'Content-Type', 'X-Auth-Token', 'Origin', 'Authorization', ], 'expose_headers' => [ 'Cache-Control', 'Content-Language', 'Content-Type', 'Expires', 'Last-Modified', 'Pragma', ], 'forbidden_response' => [ 'message' => 'Forbidden (cors).', 'status' => 403, ], /* * Preflight request will respond with value for the max age header. */ 'max_age' => 60 * 60 * 24, ], ]; ``` ### Lumen [](#lumen) You can install the package via Composer: ``` composer require spatie/laravel-cors ``` Copy the config file from the vendor directory: ``` cp vendor/spatie/laravel-cors/config/cors.php config/cors.php ``` Register the config file, the middleware and the service provider in `bootstrap/app.php`: ``` $app->configure('cors'); $app->middleware([ Spatie\Cors\Cors::class, ]); $app->register(Spatie\Cors\CorsServiceProvider::class); ``` Usage ----- [](#usage) With the middleware installed your API routes should now get appropriate CORS headers. Preflight requests will be handled as well. If a request comes in that is not allowed, Laravel will return a `403` response. The default configuration of this package allows all requests from any origin (denoted as `'*'`). You probably want to at least specify some origins relevant to your project. If you want to allow requests to come in from `https://spatie.be` and `https://laravel.com` add those domains to the config file: ``` // config/cors.php ... 'default_profile' => [ 'allow_origins' => [ 'https://spatie.be', 'https://laravel.com', ], ... ... ``` If you, for example, want to allow all subdomains from a specific domain, you can use the wildcard asterisk (`*`) and specifiy that: ``` // config/cors.php ... 'default_profile' => [ 'allow_origins' => [ 'https://spatie.be', 'https://laravel.com', 'https://*.spatie.be', 'https://*.laravel.com', ], ... ... ``` ### Creating your own CORS profile [](#creating-your-own-cors-profile) Imagine you want to specify allowed origins based on the user that is currently logged in. In that case the `DefaultProfile` which just reads the config file won't cut it. Fortunately it's very easy to write your own CORS profile, which is simply a class that extends `Spatie\Cors\DefaultProfile`. Here's a quick example where it is assumed that you've already added an `allowed_domains` column on your user model: ``` namespace App\Services\Cors; use Spatie\Cors\CorsProfile\DefaultProfile; class UserBasedCorsProfile extends DefaultProfile { public function allowOrigins(): array { return Auth::user()->allowed_domains; } } ``` You can override the default HTTP status code and message returned when a request is forbidden by editing the `forbidden_response` array in your configuration file: ``` 'forbidden_response' => [ 'message' => 'Your request failed', 'status' => 400, ], ``` Don't forget to register your profile in the config file. ``` // config/cors.php ... 'cors_profile' => App\Services\Cors\UserBasedCorsProfile::class, ... ``` In the example above we've overwritten the `allowOrigins` method, but of course you may choose to override any of the methods present in `DefaultProfile`. Testing ------- [](#testing) ``` composer test ``` Changelog --------- [](#changelog) Please see [CHANGELOG](CHANGELOG.md) for more information what has changed recently. Contributing ------------ [](#contributing) Please see [CONTRIBUTING](CONTRIBUTING.md) for details. Security -------- [](#security) If you discover any security related issues, please email instead of using the issue tracker. Alternatives ------------ [](#alternatives) - [barryvdh/laravel-cors](https://github.com/barryvdh/laravel-cors): a tried and tested package. Our package is a modern rewrite of the basic features of Barry's excellent one. We created our own solution because we needed our configuration to be [very flexible](#creating-your-own-cors-profile). Postcardware ------------ [](#postcardware) You're free to use this package, but if it makes it to your production environment we highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. Our address is: Spatie, Samberstraat 69D, 2060 Antwerp, Belgium. We publish all received postcards [on our company website](https://spatie.be/en/opensource/postcards). Credits ------- [](#credits) - [Freek Van der Herten](https://github.com/freekmurze) - [All Contributors](../../contributors) Support us ---------- [](#support-us) Spatie is a webdesign agency based in Antwerp, Belgium. You'll find an overview of all our open source projects [on our website](https://spatie.be/opensource). Does your business depend on our contributions? Reach out and support us on [Patreon](https://www.patreon.com/spatie). All pledges will be dedicated to allocating workforce on maintenance and new awesome stuff. License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 52 — FairBetter than 96% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity61 Solid adoption and visibility Community38 Small or concentrated contributor base Maturity78 Established project with proven stability Bus Factor1 Top contributor holds 68.7% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~51 days Recently: every ~196 days Total 26 Last Release 1803d ago Major Versions 0.0.7 → 1.0.02017-12-19 PHP version history (4 changes)0.0.1PHP ^7.1 0.0.2PHP ^7.0 1.4.0PHP ^7.2 1.7.0PHP ^7.2|^8.0 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/7535935?v=4)[Spatie](/maintainers/spatie)[@spatie](https://github.com/spatie) --- Top Contributors [![freekmurze](https://avatars.githubusercontent.com/u/483853?v=4)](https://github.com/freekmurze "freekmurze (92 commits)")[![AlexVanderbist](https://avatars.githubusercontent.com/u/6287961?v=4)](https://github.com/AlexVanderbist "AlexVanderbist (8 commits)")[![joshuanoyes](https://avatars.githubusercontent.com/u/2377389?v=4)](https://github.com/joshuanoyes "joshuanoyes (6 commits)")[![sixlive](https://avatars.githubusercontent.com/u/5108034?v=4)](https://github.com/sixlive "sixlive (5 commits)")[![rennokki](https://avatars.githubusercontent.com/u/21983456?v=4)](https://github.com/rennokki "rennokki (4 commits)")[![oanhnn](https://avatars.githubusercontent.com/u/1757120?v=4)](https://github.com/oanhnn "oanhnn (3 commits)")[![thomasm0](https://avatars.githubusercontent.com/u/1927220?v=4)](https://github.com/thomasm0 "thomasm0 (2 commits)")[![nedmas](https://avatars.githubusercontent.com/u/842280?v=4)](https://github.com/nedmas "nedmas (2 commits)")[![mxaddict](https://avatars.githubusercontent.com/u/1060905?v=4)](https://github.com/mxaddict "mxaddict (1 commits)")[![Sammyjo20](https://avatars.githubusercontent.com/u/29132017?v=4)](https://github.com/Sammyjo20 "Sammyjo20 (1 commits)")[![staudenmeir](https://avatars.githubusercontent.com/u/1853169?v=4)](https://github.com/staudenmeir "staudenmeir (1 commits)")[![vdbelt](https://avatars.githubusercontent.com/u/11087503?v=4)](https://github.com/vdbelt "vdbelt (1 commits)")[![yugarinn](https://avatars.githubusercontent.com/u/4669964?v=4)](https://github.com/yugarinn "yugarinn (1 commits)")[![atymic](https://avatars.githubusercontent.com/u/50683531?v=4)](https://github.com/atymic "atymic (1 commits)")[![chrisbbreuer](https://avatars.githubusercontent.com/u/6228425?v=4)](https://github.com/chrisbbreuer "chrisbbreuer (1 commits)")[![DaLooK](https://avatars.githubusercontent.com/u/7662026?v=4)](https://github.com/DaLooK "DaLooK (1 commits)")[![drbyte](https://avatars.githubusercontent.com/u/404472?v=4)](https://github.com/drbyte "drbyte (1 commits)")[![hedii](https://avatars.githubusercontent.com/u/5358048?v=4)](https://github.com/hedii "hedii (1 commits)")[![kevinpijning](https://avatars.githubusercontent.com/u/2886081?v=4)](https://github.com/kevinpijning "kevinpijning (1 commits)")[![lloy0076](https://avatars.githubusercontent.com/u/1174532?v=4)](https://github.com/lloy0076 "lloy0076 (1 commits)") --- Tags apicorsjavascriptphprequestrequestspatieapicorsajaxlaravel-cors ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/spatie-laravel-cors/health.svg) ``` [![Health](https://phpackages.com/badges/spatie-laravel-cors/health.svg)](https://phpackages.com/packages/spatie-laravel-cors) ``` ### Alternatives [spatie/laravel-fractal An easy to use Fractal integration for Laravel applications 1.9k15.1M99](/packages/spatie-laravel-fractal)[agungsugiarto/codeigniter4-cors Send CORS Headers in a CodeIgniter 4 application. 6524.6k2](/packages/agungsugiarto-codeigniter4-cors)[mtownsend/request-xml The missing XML support for Laravel's Request class. 43432.5k](/packages/mtownsend-request-xml) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)