Enabling CORS on CakePHP

enable_cors_on_cakephp.php

public function beforeFilter() {
    parent::beforeFilter();
        $this->response->header('Access-Control-Allow-Origin','*');
        $this->response->header('Access-Control-Allow-Methods','*');
        $this->response->header('Access-Control-Allow-Headers','X-Requested-With');
        $this->response->header('Access-Control-Allow-Headers','Content-Type, x-xsrf-token');
        $this->response->header('Access-Control-Max-Age','172800');
}

Hi all,
I have finally found a more structure way in CakePHP 4.x to manage CORS.

I have created a middleware, inspired by the https://github.com/ozee31/cakephp-cors that finally manage correctly the OPTIONS preflying call.

        if (strtoupper($request->getMethod()) === 'OPTIONS') {
            $response = $response
                ->withHeader('Access-Control-Expose-Headers', $this->_exposeHeaders())
                ->withHeader('Access-Control-Allow-Headers', $this->_allowHeaders($request))
                ->withHeader('Access-Control-Allow-Methods', $this->_allowMethods())
                ->withStatus(200,__('You shall pass!!'));
        }

With the last row ->withStatus(200,'some text here'); it works correctly.

I hope this give an help to someone.

I want to allow 2 domains and a subdomain. How can I do this? Allowing all the websites/subdomains are not good solution. Any suggestion. Thanks.

The middleware

class CorsMiddleware implements MiddlewareInterface
{
    /**
     * @inheritDoc
     */
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        // Calling $handler->handle() delegates control to the *next* middleware
        // In your application's queue.
        $response = $handler->handle($request);

        if ($response instanceof Response) {
            if ($request instanceof ServerRequest) {
                $response = $response
                    ->cors($request)
                    ->allowOrigin(['*'])
                    ->allowMethods(['*'])
                    ->allowHeaders(['*'])
                    ->allowCredentials()
                    ->build()
                    ->withStatus(200, __('You shall pass!!'));
            }
        }

        return $response;
    }
}

And in Application.php

            ->add(new CorsMiddleware()) // Add this line here

            // Add routing middleware.
            // If you have a large number of routes connected, turning on routes
            // caching in production could improve performance.
            // See https://github.com/CakeDC/cakephp-cached-routing
            ->add(new RoutingMiddleware($this))

            // Parse various types of encoded request bodies so that they are
            // available as array through $request->getData()
            // https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
            ->add(new BodyParserMiddleware())

Just in case: Inside bootstrap.php:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, PUT, PATCH, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: *');
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
    exit(0);
}

Thank you, I was struggling for a week to figure it out.

Just in case: Inside bootstrap.php:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, PUT, PATCH, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: *');
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
    exit(0);
}

Thank you so much. This works perfectly for my case

From CakePHP docs https://book.cakephp.org/4/en/controllers/request-response.html#setting-cross-origin-request-headers-cors

$this->response = $this->response->cors($this->request)
    ->allowOrigin(['*.cakephp.org'])
    ->allowMethods(['GET', 'POST'])
    ->allowHeaders(['X-CSRF-Token'])
    ->allowCredentials()
    ->exposeHeaders(['Link'])
    ->maxAge(300)
    ->build();