Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
My cors.php looks like this
<?php
return [
/*
|--------------------------------------------------------------------------
| Laravel CORS Options
|--------------------------------------------------------------------------
|
| The allowed_methods and allowed_headers options are case-insensitive.
|
| You don't need to provide both allowed_origins and allowed_origins_patterns.
| If one of the strings passed matches, it is considered a valid origin.
|
| If array('*') is provided to allowed_methods, allowed_origins or allowed_headers
| all methods / origins / headers are allowed.
|
*/
/*
* You can enable CORS for 1 or multiple paths.
* Example: ['api/*']
*/
'paths' => ['api/*','sanctum/csrf-cookie'],
/*
* Matches the request method. `[*]` allows all methods.
*/
'allowed_methods' => ['*'],
/*
* Matches the request origin. `[*]` allows all origins.
*/
'allowed_origins' => ['*'],
/*
* Matches the request origin with, similar to `Request::is()`
*/
'allowed_origins_patterns' => [],
/*
* Sets the Access-Control-Allow-Headers response header. `[*]` allows all headers.
*/
'allowed_headers' => ['*'],
/*
* Sets the Access-Control-Expose-Headers response header with these headers.
*/
'exposed_headers' => [],
/*
* Sets the Access-Control-Max-Age response header when > 0.
*/
'max_age' => 0,
/*
* Sets the Access-Control-Allow-Credentials header.
*/
'supports_credentials' => true,
];
My ajax get request works perfectly fine. The problem is with AJAX POST request. I am constantly getting 419 error. I have included X-XSRF-TOKEN header in my ajax headers. On document ready, I am firing a function which looks like this
fetch('/sanctum/csrf-cookie')
.then(response => console.log(response))
.then(data => console.log(data));
This function creates XSRF-TOKEN cookie which I am using in my ajax header as
t = gettoken('XSRF-TOKEN');
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content'),
'X-XSRF-TOKEN': t,
'Authorization': "Bearer {{env('bearer_token')}}"
},
async:false
});
The get token function is nothing but cookie retrieving function. Even after all of this, I am getting 419 error. What could be the reason? Any solution? Thanks in advance :)
you cannot get env like this , it is a laravel way not js way
and , the key name in headers does not need quote
first store your access token in localstorage then you can retrieve it from js second , headers should be like this :
headers: {
Authorization: 'Bearer ' + localstorage.getItem('access_token')
}
but , i think you should check the access token in every component file before you do a request because some other app could accidentally delete your localstorage content
Hello @maverickchan Thanks for the reply. I edited the authorisation token. I am not taking it from env. I am still facing the same problem of unknown status 419. I guess it has to do with XSRF-TOKEN. The keys in the header do require quotes else it throws an error.
are you using laravel ui vue preset?
and , if your axios setting is right(which i doubted) it may be a router conflict betweet laravel api and vue router wildcard please show some of your route file , laravel and vue both
@maverickchan I am not using Vue nor axios. I am using Jquery and vanilla JS
sorry , i did not notice , then you should check your if your token is expired , and stick to your original code
Yeah you are right. The token is getting expired. I checked in the network tab in the debugger of chrome and it shows 419 session expired in preview. Is there any way I can pass the XSRF Token without it getting expired?
Please or to participate in this conversation.