Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Laravel CORS Middleware

CORS stands for Cross-Origin Resource Sharing an is a specification that allow modern browsers to request (and receive) data from a domain other than the one serving the page that made the request.

You're building a site with cool cross domain features, and then you try to make a XHR request, you see the following message in your browser’s console:

XMLHttpRequest cannot load http://site123.local. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://site.local' is therefore not allowed access. The response had HTTP status code 500.

This means your server is not sending back to the client the headers that allow CORS:

1.Access-Control-Allow-Origin 2.Access-Control-Allow-Methods

So we'll make a Laravel Middleware to fix this. (You could also add the proper headers at the Ngnix level).

Create new middleware:

php artisan make:middleware Cors

Then follow the file examples in this gist to make it happen.

See for more information.

<?php // /app/Http/Middleware/Cors.php
namespace App\Http\Middleware;
use Closure;
class Cors {
public function handle($request, Closure $next)
return $next($request)
->header('Access-Control-Allow-Origin', '*')
->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
<?php // /app/Http/Kernel.php
protected $routeMiddleware = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'cors' => \App\Http\Middleware\Cors::class, // <<< add this line
Route::get('', ['middleware' => 'cors', function() {
return 'You did it!';
Copy link

ubiratanlima commented Aug 7, 2018

Caso ainda esteja com dificuldades, pode serguir esse aqui... funciona bem, muito simples de configurar tambem.
Lembrando que no Cors, se voce quiser todos basta colocar ['*'], caso contrario é só informar a origem.

Copy link

adahox commented Sep 5, 2018

Funcionou perfeitamente!!! parabéns e obrigado.

Copy link

gomesiago commented Sep 20, 2018

A documentação mostra como colocar urls na exceção do csrf.

Copy link

gilsonviana commented Jul 22, 2019

O example parece nao funcionar no Laravel versao 5.8

Copy link

NKmelnikov commented Jan 8, 2021

A documentação mostra como colocar urls na exceção do csrf.

Thanks. Your approach helped me

Copy link

Cardoso-topdev commented Feb 8, 2021

Thanks for your detailed documentation.
It helped me to solve the cors error.

Copy link

cryptiswap-admin commented May 9, 2022

Are you able to only add 2 domains without using a wildcard "*" to allow all domains? I mean, what's the point of CORS if you are allowing all origins?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment