apigopro/slim-cors-middleware
Composer 安装命令:
composer require apigopro/slim-cors-middleware
包简介
PSR-15 CORS middleware for Slim Framework 4, spiritual successor to tuupola/cors-middleware.
关键字:
README 文档
README
A PSR-15 CORS middleware for Slim Framework 4, requiring PHP 8.5.
Spiritual successor to tuupola/cors-middleware
(unmaintained) — same array-based options and behavior, rebuilt as a small, dependency-free PSR-15
middleware with no legacy baggage.
Install
Published on Packagist.
composer require apigopro/slim-cors-middleware
Basic usage
use SlimCors\CorsMiddleware; $app->add(new CorsMiddleware([ 'origin' => ['https://app.example.com', 'https://*.example.com'], 'methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], 'headers.allow' => ['Authorization', 'Content-Type'], 'headers.expose' => ['X-Request-Id'], 'credentials' => true, 'cache' => 86400, ]));
Add this before (outer to) your auth middleware, so preflight OPTIONS requests get answered
without ever reaching auth checks or route handlers — browsers send preflight requests without
credentials or custom auth headers, so they'd otherwise fail auth for no reason.
$app->add(new CorsMiddleware([/* ... */])); // outermost $app->add(new JwtAuthMiddleware([/* ... */])); // runs after CORS
How it works
- No
Originheader → not a cross-origin request, passed through untouched. Originpresent, not preflight → the wrapped handler runs as normal, thenAccess-Control-Allow-Origin(and friends) get added to the response.- Preflight (
OPTIONS+Access-Control-Request-Methodheader present) → answered directly with a204, without calling the rest of the middleware stack or your route handler at all. - Preflight requesting a method not in
methods→ rejected with405and anAllowheader listing what is allowed (or your customerrorresponse). - Origin not in the allow-list → rejected with
401(or your customerrorresponse).
Options
| Option | Default | Notes |
|---|---|---|
origin |
['*'] |
Allowed origins. Exact strings, or patterns with a * wildcard, e.g. 'https://*.example.com'. |
methods |
['GET', 'POST', 'PUT', 'PATCH', 'DELETE'] |
Sent as Access-Control-Allow-Methods on preflight responses. A preflight requesting a method outside this list gets rejected with 405 instead. Use ['*'] to allow any method. |
headers.allow |
[] |
Sent as Access-Control-Allow-Headers on preflight responses. If empty, whatever the browser asked for via Access-Control-Request-Headers is reflected back. |
headers.expose |
[] |
Sent as Access-Control-Expose-Headers on actual (non-preflight) responses. |
credentials |
false |
Sends Access-Control-Allow-Credentials: true when enabled. Also makes a configured origin => ['*'] reflect the actual request origin instead of a literal *, since browsers reject the literal wildcard combined with credentials. |
cache |
0 |
Seconds for Access-Control-Max-Age on preflight responses. 0 omits the header. |
error |
null |
function($request, $response, array $arguments): ?ResponseInterface. Called when the origin isn't allowed ($arguments has message, origin) or when a preflight's requested method isn't allowed ($arguments has message, method, allowed_methods). Return a response to override the default 401/405. |
response_factory |
(auto-detects slim/psr7) |
Any PSR-17 ResponseFactoryInterface. |
Wildcard origin patterns
new CorsMiddleware([ 'origin' => [ 'https://app.example.com', 'https://*.staging.example.com', // any staging subdomain ], ]);
* matches any sequence of characters within a single pattern; it isn't a full glob/regex
language, just a simple prefix/suffix/subdomain wildcard.
Migrating from tuupola/cors-middleware
- Namespace:
Tuupola\Middleware\CorsMiddleware→SlimCors\CorsMiddleware. loggeroption removed. Wire up your own logging in theerrorcallback if you need it.errorcallback signature is unchanged:($request, $response, array $arguments).- Everything else —
origin,methods,headers.allow,headers.expose,credentials,cache— behaves the same way.
Testing
composer install
composer test
Covers: pass-through for non-CORS requests, allowed/disallowed origins, wildcard origin patterns
(including the credentials + * interaction), preflight short-circuiting, method validation
(405 for disallowed methods, wildcard * methods, case-insensitive matching), configured vs.
reflected Access-Control-Allow-Headers, Access-Control-Expose-Headers, and custom error
callbacks for both origin and method rejections.
License
MIT.
统计信息
- 总下载量: 0
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 2
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-07-14