Inspired from https://github.com/asm89/stack-cors for CodeIgniter 4
The codeigniter4-cors
package allows you to send Cross-Origin Resource Sharing
headers with Codeigniter4 filter configuration.
- Handles CORS pre-flight OPTIONS requests
- Adds CORS headers to your responses
- Match routes to only add CORS to certain Requests
Require the agungsugiarto/codeigniter4-cors
package in your composer.json
and update your dependencies:
composer require agungsugiarto/codeigniter4-cors
To allow CORS for all your routes, first register CorsFilter.php
filter at the top of the $aliases
property of App/Config/Filter.php
class:
public $aliases = [
'cors' => \Fluent\Cors\Filters\CorsFilter::class,
// ...
];
Restrict routes based on their URI pattern by editing app/Config/Filters.php and adding them to the
$filters
array, e.g.:
public filters = [
// ...
'cors' => ['after' => ['api/*']],
];
Any single route can be restricted by adding the filter option to the last parameter in any of the route definition methods:
$routes->match(['get', 'options'], 'api/users', 'UserController::index', ['filter' => 'cors'])
In the same way, entire groups of routes can be restricted within the group()
method:
$routes->group('sample', ['filter' => 'cors'], function($routes) {
// ...
});
The defaults are set in config/cors.php
. Publish the config to copy the file to your own config:
php spark cors:publish
Note: When using custom headers, like
X-Auth-Token
orX-Requested-With
, you must set theallowedHeaders
to include those headers. You can also set it to['*']
to allow all custom headers.
Note: If you are explicitly whitelisting headers, you must include
Origin
or requests will fail to be recognized as CORS.
Option | Description | Default value |
---|---|---|
allowedOrigins | Matches the request origin. Wildcards can be used, eg. *.mydomain.com |
['*'] |
allowedMethods | Matches the request method. | ['*'] |
allowedHeaders | Sets the Access-Control-Allow-Headers response header. | ['*'] |
exposedHeaders | Sets the Access-Control-Expose-Headers response header. | false |
maxAge | Sets the Access-Control-Max-Age response header. | 0 |
supportsCredentials | Sets the Access-Control-Allow-Credentials header. | false |
allowedOrigins
, allowedHeaders
and allowedMethods
can be set to ['*']
to accept any value.
Note: For
allowedOrigins
you must include the scheme when not using a wildcard, eg.['http://example.com', 'https://example.com']
.
Note: Try to be a specific as possible. You can start developing with loose constraints, but it's better to be as strict as possible!
Released under the MIT License, see LICENSE.