How to set CORS header in a PHP app?

jmansour

I would like to set the Access-Control-Allow-Origin header, to allow JS from a different domain to access my site. However, I can't get it to work.

If I set it in PHP via header('Access-Control-Allow-Origin', '*');, it sends the header, but only on regular requests (GET). The browser however sends an OPTIONS request and the script is not run.

I tried switching from 'Nginx/PHP-FPM' to 'Apache/PHP-CGI' and created a .htaccess file (permissions 644) with the following content, but it also had no effect:

<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>

Does anybody have a recipie how to send the header correctly?

jmansour

With this recipie here, it works:
https://stackoverflow.com/a/9866124/143091
It sets a few other headers, and doesn't set the origin to "*" but the request's origin.

sean

jmansour that is the approach I recommend.

If you want it to set "*" as the allowed origin, then you'll need to modify that line of the code to do so like this:

function cors() {
    
    // Allow from any origin
    if (isset($_SERVER['HTTP_ORIGIN'])) {
        // allow all origins
        header("Access-Control-Allow-Origin: *");
        header('Access-Control-Allow-Credentials: true');
        header('Access-Control-Max-Age: 86400');    // cache for 1 day
    }
    
    // Access-Control headers are received during OPTIONS requests
    if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
        
        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
            // may also be using PUT, PATCH, HEAD etc
            header("Access-Control-Allow-Methods: GET, POST, OPTIONS");         
        
        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
            header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
    
        exit(0);
    }
    
    echo "You have CORS!";
}

Here's the result I got from that on a test site:

$ curl -I -H "Origin: foo.com" http://mytestdomain.com/
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 01 Aug 2021 14:07:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400

Hope that helps 🙂