CORS (Cross-Origin Resource Sharing) setup for website API

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

CORS (Cross-Origin Resource Sharing) setup for website API

Simple

~2-3 hours

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

CORS (Cross-Origin Resource Sharing) Setup for API

CORS — browser mechanism allowing or denying web pages to make requests to another domain. Without proper setup, frontend on app.example.com cannot access API on api.example.com, even if both belong to you.

How It Works

For "simple" requests (GET, POST with certain headers) browser sends request and checks response headers. For "complex" (PUT, DELETE, custom headers) preflight OPTIONS request comes first:

OPTIONS /api/users HTTP/1.1
Origin: https://app.example.com
Access-Control-Request-Method: DELETE
Access-Control-Request-Headers: Authorization, Content-Type

Server must respond with permission:

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 86400

Nginx Setup

location /api/ {
    if ($request_method = 'OPTIONS') {
        add_header Access-Control-Allow-Origin $http_origin;
        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
        add_header Access-Control-Allow-Headers "Authorization, Content-Type, X-Requested-With";
        add_header Access-Control-Max-Age 86400;
        return 204;
    }

    add_header Access-Control-Allow-Origin $http_origin always;
    add_header Access-Control-Allow-Credentials true always;
    proxy_pass http://backend;
}

Laravel Setup

// config/cors.php
return [
    'paths' => ['api/*'],
    'allowed_methods' => ['*'],
    'allowed_origins' => ['https://app.example.com', 'https://admin.example.com'],
    'allowed_headers' => ['Authorization', 'Content-Type', 'X-Requested-With'],
    'exposed_headers' => ['X-Total-Count'],
    'max_age' => 86400,
    'supports_credentials' => true,
];

Package fruitcake/laravel-cors (built in Laravel 7+) handles everything automatically via middleware.

Credentials and Cookies

If API uses cookie sessions or transmits credentials:

Server must return Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin cannot be * — only specific domain
Frontend must specify credentials: 'include' in fetch or withCredentials: true in Axios

Common Mistakes

Access-Control-Allow-Origin: * with credentials: true — browser blocks
Dynamic $http_origin without whitelist verification — any site gets access
Missing CORS headers on error responses (4xx/5xx) — frontend won't see error body

Implementation Timeline

Basic CORS setup for typical project — 2–4 hours.