How to activate CORS in Laravel – Cross-Origin Resource Sharing (CORS) is a security mechanism that restricts a web page from making requests to a different domain than the one that served the page. This restriction, known as the same-origin policy, is put in place to protect against cross-site scripting (XSS) attacks.
What Is Cors
CORS stands for Cross-Origin Resource Sharing. It is a mechanism that allows a web page to make requests to a different domain than the one that served the page.
Normally, web pages are not allowed to make requests to a different domain for security reasons, known as the same-origin policy. However, in some cases, you may need to allow a web page to access resources on another domain. CORS provides a way to allow this while still preserving the security of the same-origin policy.
When a web page makes a request to another domain, the server at that domain must respond with specific headers that indicate that it allows cross-origin requests from the origin of the request. The browser will then allow the request to proceed only if the server’s response includes these headers.
CORS is important because it allows for the creation of more dynamic and interactive web applications that can take advantage of data and services from multiple sources.
How do you use CORS?
Cross-Origin Resource Sharing (CORS) is used to allow a web page to make requests to a different domain than the one that served the page.
Here are the steps to use CORS in a web application:
- Server-side Configuration: On the server that provides the resource, you need to configure it to allow cross-origin requests by setting the appropriate CORS headers. In the HTTP response, the server needs to add the
Access-Control-Allow-Originheader to specify the allowed domains. For example, if you want to allow all domains, you can set this header to"*":
Access-Control-Allow-Origin: *
- Client-side Request: On the client-side, you can use the
fetchAPI, XMLHttpRequest, or jQuery to make a request to the resource on a different domain. You do not need to make any special changes to the request for CORS to work. - Preflight Request: Before sending the actual request, the browser will first make a preflight request to check if the server allows cross-origin requests. This preflight request is an HTTP OPTIONS request that is sent to the server to check if the actual request will be accepted.
- Server-side Response: The server needs to respond to the preflight request by returning the
Access-Control-Allow-Originheader along with any other relevant headers such asAccess-Control-Allow-MethodsorAccess-Control-Allow-Headers. - Client-side Request: If the preflight request is successful, the browser will send the actual request to the server.
- Server-side Response: The server will respond to the actual request by returning the requested resource along with the
Access-Control-Allow-Originheader.
These are the basic steps to use CORS in a web application. Keep in mind that you need to configure both the client and the server correctly for CORS to work correctly.
How to activate CORS in Laravel ?
To enable CORS (Cross-Origin Resource Sharing) in Laravel, you can use the middleware provided by the framework. Here’s how you can do it:
- Create a new middleware class:
php artisan make:middleware CorsMiddleware
- In the newly created
CorsMiddlewareclass, add the following code:
namespace App\Http\Middleware;
use Closure;
class CorsMiddleware
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$headers = [
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Methods' => 'POST, GET, OPTIONS, PUT, DELETE',
'Access-Control-Allow-Credentials' => 'true',
'Access-Control-Max-Age' => '86400',
'Access-Control-Allow-Headers' => 'Content-Type, Authorization, X-Requested-With'
];
if ($request->isMethod('OPTIONS'))
{
return response()->json('{"method":"OPTIONS"}', 200, $headers);
}
$response = $next($request);
foreach($headers as $key => $value)
{
$response->header($key, $value);
}
return $response;
}
}
- Add the middleware class to the list of global middleware in
app/Http/Kernel.php:
protected $middleware = [
...
\App\Http\Middleware\CorsMiddleware::class,
];
Now, the CORS middleware will be applied globally to all requests and will allow cross-origin requests. You can modify the middleware class to fit your specific needs.
How to disable CORS in Laravel 8?
To disable CORS (Cross-Origin Resource Sharing) in Laravel 8, you need to remove the global CORS middleware from the list of middlewares in the app/Http/Kernel.php file. Here’s how you can do it:
- Open the
app/Http/Kernel.phpfile. - Locate the
$middlewareproperty in theKernelclass. - Remove the following line from the
$middlewareproperty:
\Fruitcake\Cors\HandleCors::class,
- Save the changes to the
app/Http/Kernel.phpfile.
Now, CORS will be disabled in your Laravel application, and cross-origin requests will not be allowed. Note that if you have a specific need for CORS, you can still enable it by adding the HandleCors middleware back to the $middleware property in the Kernel class.
Read Also
