agungsugiarto / codeigniter4-cors
Send CORS Headers in a CodeIgniter 4 application.
Fund package maintenance!
saweria.co/agungsugiarto
Installs: 18 833
Dependents: 2
Suggesters: 0
Security: 0
Stars: 65
Watchers: 5
Forks: 14
Open Issues: 3
Requires
- php: ^7.4 || ^8.0
- codeigniter4/framework: ^4.3
Requires (Dev)
- phpunit/phpunit: ^9.1
README
Inspired from https://github.com/asm89/stack-cors for CodeIgniter 4
About
The codeigniter4-cors
package allows you to send Cross-Origin Resource Sharing
headers with Codeigniter4 filter configuration.
Features
- Handles CORS pre-flight OPTIONS requests
- Adds CORS headers to your responses
- Match routes to only add CORS to certain Requests
Upgrade from 2.x to v3.x
Upgrade from version 2.x to 3.x. Open your composer.json
find agungsugiarto/codeigniter4-cors
and change value to ^3.0
Installation
Require the agungsugiarto/codeigniter4-cors
package in your composer.json
and update your dependencies:
composer require agungsugiarto/codeigniter4-cors
Global usage
To allow CORS for all your routes, first register CorsFilter.php
filter at the top of the $aliases
property of App/Config/Filter.php
class:
public $aliases = [ 'cors' => \Fluent\Cors\Filters\CorsFilter::class, // ... ];
Global restrictions
Restrict routes based on their URI pattern by editing app/Config/Filters.php and adding them to the
$filters
array, e.g.:
public $filters = [ // ... 'cors' => [ 'before' => ['api/*'], 'after' => ['api/*'] ], ];
Restricting a single route
Any single route can be restricted by adding the filter option to the last parameter in any of the route definition methods:
$routes->get('api/users', 'UserController::index', ['filter' => 'cors']);
Restricting Route Groups
In the same way, entire groups of routes can be restricted within the group()
method:
$routes->group('api/v1', ['filter' => 'cors'], function ($routes) { // ... });
Configuration
The defaults are set in config/cors.php
. Publish the config to copy the file to your own config:
php spark cors:publish
Note: When using custom headers, like
X-Auth-Token
orX-Requested-With
, you must set theallowedHeaders
to include those headers. You can also set it to['*']
to allow all custom headers.
Note: If you are explicitly whitelisting headers, you must include
Origin
or requests will fail to be recognized as CORS.
Options
allowedOrigins
, allowedHeaders
and allowedMethods
can be set to ['*']
to accept any value.
Note: For
allowedOrigins
you must include the scheme when not using a wildcard, eg.['http://example.com', 'https://example.com']
. You must also take into account that the scheme will be present when using allowed_origins_patterns.
Note: Try to be a specific as possible. You can start developing with loose constraints, but it's better to be as strict as possible!
License
Released under the MIT License, see LICENSE.