Esc
API Index — Namespaces, Packages, Reports, Indices
CorsMiddleware
in package
implements
MiddlewareInterface
CORS Middleware
Handles Cross-Origin Resource Sharing headers and OPTIONS preflight requests.
Origin resolution order:
- Constructor
$originsargument (if not null) ZEALPHP_CORS_ORIGINSenv var (comma-separated)- Falls back to
['*']with a one-time warning logged viaelog()
Wildcard (*) is a security foot-gun for any API serving credentials or
user-scoped data; the warning surfaces this without breaking existing apps.
Lock down origins explicitly in production:
$app->addMiddleware(new \ZealPHP\Middleware\CorsMiddleware(
origins: ['https://myapp.com'],
methods: ['GET', 'POST', 'PUT', 'DELETE'],
headers: ['Content-Type', 'Authorization'],
credentials: true,
maxAge: 3600,
));
Or, to lock down without touching code:
ZEALPHP_CORS_ORIGINS="https://myapp.com,https://admin.myapp.com" php app.php
Table of Contents
Interfaces
- MiddlewareInterface
Properties
- $credentials : bool
- $headers : array<int, string>
- $maxAge : int
- $methods : array<int, string>
- $origins : array<int, string>
- $warnedWildcard : bool
Methods
- __construct() : mixed
- process() : ResponseInterface
- resolveOrigin() : string
- resolveOriginsList() : array<int, string>
Properties
$credentials
private
bool
$credentials
$headers
private
array<int, string>
$headers
$maxAge
private
int
$maxAge
$methods
private
array<int, string>
$methods
$origins
private
array<int, string>
$origins
$warnedWildcard
private
static bool
$warnedWildcard
= false
Methods
__construct()
public
__construct([array<int, string>|null $origins = null ][, array<int, string> $methods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'] ][, array<int, string> $headers = ['Content-Type', 'Authorization', 'X-Requested-With', 'Accept'] ][, bool $credentials = false ][, int $maxAge = 86400 ]) : mixed
Parameters
- $origins : array<int, string>|null = null
-
Explicit allowed origins, or null to fall back to env / wildcard.
- $methods : array<int, string> = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS']
- $headers : array<int, string> = ['Content-Type', 'Authorization', 'X-Requested-With', 'Accept']
- $credentials : bool = false
- $maxAge : int = 86400
process()
public
process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
Parameters
- $request : ServerRequestInterface
- $handler : RequestHandlerInterface
Return values
ResponseInterfaceresolveOrigin()
private
resolveOrigin(string $requestOrigin) : string
Parameters
- $requestOrigin : string
Return values
stringresolveOriginsList()
private
resolveOriginsList(array<int, string>|null $explicit) : array<int, string>
Parameters
- $explicit : array<int, string>|null