Cross-origin resource sharing library for the Symfony HttpFoundation

fruitcake/php-cors image

fruitcake/php-cors stats

Open Issues

View on GitHub →

Fruitcake Php-cors Readme

CORS for PHP (using the Symfony HttpFoundation)

Library and middleware enabling cross-origin resource sharing for your http-{foundation,kernel} using application. It attempts to implement the W3C Recommendation for cross-origin resource sharing.

Note: This is a standalone fork of and is compatible with the options for CorsService.


Require fruitcake/php-cors using composer.


This package can be used as a library. You can use it in your framework using:


Option Description Default value
allowedMethods Matches the request method. []
allowedOrigins Matches the request origin. []
allowedOriginsPatterns Matches the request origin with preg_match. []
allowedHeaders Sets the Access-Control-Allow-Headers response header. []
exposedHeaders Sets the Access-Control-Expose-Headers response header. []
maxAge Sets the Access-Control-Max-Age response header. 0
supportsCredentials Sets the Access-Control-Allow-Credentials header. false

The allowedMethods and allowedHeaders options are case-insensitive.

You don't need to provide both allowedOrigins and allowedOriginsPatterns. If one of the strings passed matches, it is considered a valid origin. A wildcard in allowedOrigins will be converted to a pattern.

If ['*'] is provided to allowedMethods, allowedOrigins or allowedHeaders all methods / origins / headers are allowed.

Note: Allowing a single static origin will improve cacheability.

Example: using the library

use Fruitcake\Cors\CorsService;
$cors = new CorsService([
'allowedHeaders' => ['x-allowed-header', 'x-other-allowed-header'],
'allowedMethods' => ['DELETE', 'GET', 'POST', 'PUT'],
'allowedOrigins' => ['http://localhost', 'https://*'],
'allowedOriginsPatterns' => ['/localhost:\d/'],
'exposedHeaders' => ['Content-Encoding'],
'maxAge' => 0,
'supportsCredentials' => false,
$cors->addActualRequestHeaders(Response $response, $origin);
$cors->handlePreflightRequest(Request $request);
$cors->isActualRequestAllowed(Request $request);
$cors->isCorsRequest(Request $request);
$cors->isPreflightRequest(Request $request);


Released under the MIT License, see LICENSE.

This package is split-off from and developed as stand-alone library since 2022

fruitcake photo

Your #1 dev team

Fruitcake Php Cors Related Articles

Diving into Cross-Origin Resource Sharing image

Diving into Cross-Origin Resource Sharing

Read article
Laravel 9.2 Released image

Laravel 9.2 Released

Read article
No Compromises logo

No Compromises

Joel and Aaron, the two seasoned devs from the No Compromises podcast, are now available to hire for your Laravel project. ⬧ Flat rate of $7500/mo. ⬧ No lengthy sales process. ⬧ No contracts. ⬧ 100% money back guarantee.

No Compromises
Lunar: Laravel E-Commerce logo

Lunar: Laravel E-Commerce

E-Commerce for Laravel. An open-source package that brings the power of modern headless e-commerce functionality to Laravel.

Lunar: Laravel E-Commerce
LaraJobs logo


The official Laravel job board

Bacancy logo


Supercharge your project with a seasoned Laravel developer with 4-6 years of experience for just $2500/month. Get 160 hours of dedicated expertise & a risk-free 15-day trial. Schedule a call now!

Kirschbaum logo


Providing innovation and stability to ensure your web application succeeds.

Lucky Media logo

Lucky Media

Bespoke software solutions built for your business. We ♥ Laravel

Lucky Media