CORS with php headers

Many descriptions on the Internet do not mention that specifying Access-Control-Allow-Origin not enough. Here is a complete example that works for me:

 <?php if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { header('Access-Control-Allow-Origin: *'); header('Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS'); header('Access-Control-Allow-Headers: token, Content-Type'); header('Access-Control-Max-Age: 1728000'); header('Content-Length: 0'); header('Content-Type: text/plain'); die(); } header('Access-Control-Allow-Origin: *'); header('Content-Type: application/json'); $ret = [ 'result' => 'OK', ]; print json_encode($ret); 

I just managed to get dropzone and another plugin to work with this fix (angularjs + php backend)

  header('Access-Control-Allow-Origin: *'); header("Access-Control-Allow-Credentials: true"); header('Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS'); header('Access-Control-Max-Age: 1000'); header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token , Authorization'); 

add this to your upload.php file or where you send your request (for example, if you have upload.html and you need to attach files to upload.php, copy and paste these 4 lines). Also, if you use CORS plugins / addons in chrome / mozilla, be sure to enable them more than once to enable CORS.

If you want to create a CORS service from PHP, you can use this code as the first step in your file that processes requests:

 // Allow from any origin if(isset($_SERVER["HTTP_ORIGIN"])) { // You can decide if the origin in $_SERVER['HTTP_ORIGIN'] is something you want to allow, or as we do here, just allow all header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); } else { //No HTTP_ORIGIN set, so we allow any. You can disallow if needed here header("Access-Control-Allow-Origin: *"); } header("Access-Control-Allow-Credentials: true"); header("Access-Control-Max-Age: 600"); // cache for 10 minutes if($_SERVER["REQUEST_METHOD"] == "OPTIONS") { if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])) header("Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT"); //Make sure you remove those you do not want to support if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"])) header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"); //Just exit with 200 OK with the above headers for OPTIONS method exit(0); } //From here, handle the request as it is ok 

CORS can be a headache if we do not correctly understand its functioning. I use them in PHP and they work without problems. link here

 header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Credentials: true"); header("Access-Control-Max-Age: 1000"); header("Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding"); header("Access-Control-Allow-Methods: PUT, POST, GET, OPTIONS, DELETE"); 

This code works for me when using angular 4 as client and PHP as server.

("Access-Control-Allow-Origin: *");

it should work

 header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding"); 

This code example in the above code seems to be a bug. In this code, response headers are contained in {curly brackets}. As soon as I deleted them, Axios finally stopped throwing errors.

add this code to .htaccess

add a custom authentication key to the header, such as app_key, auth_key..etc

 Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Headers: "customKey1,customKey2, headers, Origin, X-Requested-With, Content-Type, Accept, Authorization"