A CakePHP (4+) plugin for activate cors domain in your application with Middleware.
For cake 3.3+ use branch cake-3
- PHP version 7.2 or higher
- CakePhp 4.0 or higher
You can install this plugin into your CakePHP application using composer.
The recommended way to install composer packages is:
composer require ozee31/cakephp-cors
Loading the Plugin
// In src/Application.php
public function bootstrap(): void
{
// code ...
$this->addPlugin('Cors');
}
By default the plugin authorize cors for all origins, all methods and all headers and caches all for one day.
<?php
[
'AllowOrigin' => true, // accept all origin
'AllowCredentials' => true,
'AllowMethods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], // accept all HTTP methods
'AllowHeaders' => true, // accept all headers
'ExposeHeaders' => false, // don't accept personal headers
'MaxAge' => 86400, // cache for 1 day
'exceptionRenderer' => 'Cors\Error\AppExceptionRenderer', // Use ExeptionRenderer class of plugin
In app.php
add :
'Cors' => [
// My Config
]
AllowOrigin (Access-Control-Allow-Origin)
A returned resource may have one Access-Control-Allow-Origin header, with the following syntax:
'Cors' => [
// Accept all origins
'AllowOrigin' => true,
// OR
'AllowOrigin' => '*',
// Accept one origin
'AllowOrigin' => 'http://flavienbeninca.fr'
// Accept many origins
'AllowOrigin' => ['http://flavienbeninca.fr', 'http://google.com']
]
AllowCredentials (Access-Control-Allow-Credentials)
The Access-Control-Allow-Credentials header Indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.
'Cors' => [
'AllowCredentials' => true,
// OR
'AllowCredentials' => false,
]
AllowMethods (Access-Control-Allow-Methods)
'Cors' => [
// string
'AllowMethods' => 'POST',
// OR array
'AllowMethods' => ['GET', 'POST'],
]
AllowHeaders (Access-Control-Allow-Headers)
The Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
'Cors' => [
// accept all headers
'AllowHeaders' => true,
// accept just authorization
'AllowHeaders' => 'authorization',
// accept many headers
'AllowHeaders' => ['authorization', 'other-header'],
]
ExposeHeaders (Access-Control-Expose-Headers)
The Access-Control-Expose-Headers header lets a server whitelist headers that browsers are allowed to access. For example:
'Cors' => [
// nothing
'ExposeHeaders' => false,
// string
'ExposeHeaders' => 'X-My-Custom-Header',
// array
'ExposeHeaders' => ['X-My-Custom-Header', 'X-Another-Custom-Header'],
]
MaxAge (Access-Control-Max-Age)
The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples.
'Cors' => [
// no cache
'MaxAge' => false,
// 1 hour
'MaxAge' => 3600,
// 1 day
'MaxAge' => 86400,
]
This option overload default exceptionRenderer
in app.php
.
By default this class extends from Error.exceptionRenderer
to add Cors Headers
If you don't want to overload exceptionRenderer, You must write
'Cors' => [
'exceptionRenderer' => false
]