CorsMiddleware implements MiddlewareInterface
Applies CORS headers to responses produced by the inner pipeline.
By default no Access-Control-Allow-Origin header is set, which effectively
blocks cross-origin browser requests (secure-by-default). Configure
$allowedOrigins with a concrete list, or ['*'] to allow any origin.
Access-Control-Allow-Methods and Access-Control-Allow-Headers are emitted
only on preflight responses (OPTIONS with an Access-Control-Request-Method
header), per the CORS specification. Headers already set by inner middleware
are preserved — this middleware only adds defaults when they are absent.
Tags
Table of Contents
Interfaces
- MiddlewareInterface
Properties
- $allowCredentials : bool
- $allowedHeadersHeader : string
- $allowedMethodsHeader : string
- $allowedOrigins : array<string|int, mixed>
- $exposedHeadersHeader : string|null
- $isWildcard : bool
- $varyOnOrigin : bool
Methods
- __construct() : mixed
- process() : ResponseInterface
- ensureVaryOrigin() : ResponseInterface
- isPreflight() : bool
- resolveAllowedOrigin() : string|null
Properties
$allowCredentials read-only
private
bool
$allowCredentials
= false
$allowedHeadersHeader read-only
private
string
$allowedHeadersHeader
$allowedMethodsHeader read-only
private
string
$allowedMethodsHeader
$allowedOrigins read-only
private
array<string|int, mixed>
$allowedOrigins
= []
$exposedHeadersHeader read-only
private
string|null
$exposedHeadersHeader
$isWildcard read-only
private
bool
$isWildcard
$varyOnOrigin read-only
private
bool
$varyOnOrigin
Methods
__construct()
public
__construct([array<int, string> $allowedOrigins = [] ][, array<int, string> $allowedMethods = ['GET', 'POST', 'DELETE'] ][, array<int, string> $allowedHeaders = ['Accept', 'Authorization', 'Content-Type', 'Last-Event-ID', StreamableHttpTransport::PROTOCOL_VERSION_HEADER, StreamableHttpTransport::SESSION_HEADER] ][, array<int, string> $exposedHeaders = [StreamableHttpTransport::SESSION_HEADER] ][, bool $allowCredentials = false ]) : mixed
Parameters
- $allowedOrigins : array<int, string> = []
-
Origins permitted for cross-origin requests. Empty disables
Access-Control-Allow-Origin. Use['*']to allow any origin. - $allowedMethods : array<int, string> = ['GET', 'POST', 'DELETE']
-
Methods advertised via
Access-Control-Allow-Methods(preflight only) - $allowedHeaders : array<int, string> = ['Accept', 'Authorization', 'Content-Type', 'Last-Event-ID', StreamableHttpTransport::PROTOCOL_VERSION_HEADER, StreamableHttpTransport::SESSION_HEADER]
-
Headers advertised via
Access-Control-Allow-Headers(preflight only) - $exposedHeaders : array<int, string> = [StreamableHttpTransport::SESSION_HEADER]
-
Headers advertised via
Access-Control-Expose-Headers - $allowCredentials : bool = false
-
Whether to emit
Access-Control-Allow-Credentials: true. Incompatible withallowedOrigins: ['*']— combining them throws.
process()
public
process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
Parameters
- $request : ServerRequestInterface
- $handler : RequestHandlerInterface
Return values
ResponseInterfaceensureVaryOrigin()
private
ensureVaryOrigin(ResponseInterface $response) : ResponseInterface
Parameters
- $response : ResponseInterface
Return values
ResponseInterfaceisPreflight()
private
isPreflight(ServerRequestInterface $request) : bool
Parameters
- $request : ServerRequestInterface
Return values
boolresolveAllowedOrigin()
private
resolveAllowedOrigin(string $origin) : string|null
Parameters
- $origin : string