Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Gearoid's avatar

CORS Issue

I am using PDF.js to fetch a PDF file from a subdomain say pdf.example.com from example.com or www.example.com - the app is deployed via Forge - I have tried settings same-orgin in NGINX conf and in cors.php in the app but to no avail - any thoughts / hints greatly appreciated

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

CORS (Cross-Origin Resource Sharing) issues can be tricky because they involve both server configuration and client-side access control. Since you're using Laravel Forge, I assume you're using Laravel for your application. Here's a step-by-step guide to help you resolve the CORS issue:

  1. Update CORS Configuration in Laravel: Laravel includes a CORS package that you can configure to allow requests from specific origins. You can find this configuration in config/cors.php. Make sure you have the correct settings to allow your subdomain. For example:
// config/cors.php

return [

    'paths' => ['api/*', 'sanctum/csrf-cookie'],

    'allowed_methods' => ['*'],

    'allowed_origins' => ['https://example.com', 'https://www.example.com', 'https://pdf.example.com'],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => [],

    'max_age' => 0,

    'supports_credentials' => false,

];
  1. Configure NGINX: You mentioned that you've tried setting same-origin in NGINX, but for CORS, you need to set the Access-Control-Allow-Origin header. Here's an example of how you might configure your NGINX to handle CORS:
server {
    listen 80;
    server_name pdf.example.com;

    location / {
        # ... other configurations ...

        # Add headers for CORS
        add_header 'Access-Control-Allow-Origin' 'https://example.com' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;

        # Preflighted requests
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' 'https://example.com';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain; charset=utf-8';
            add_header 'Content-Length' 0;
            return 204;
        }
    }
}

Make sure to replace https://example.com with the actual origin you want to allow. If you want to allow multiple origins, you'll need to implement a more dynamic approach, possibly with a map or a server-side script to set the Access-Control-Allow-Origin header based on the request's Origin header.

  1. Clear Cache: After making changes to your NGINX configuration, don't forget to reload NGINX to apply the changes:
sudo service nginx reload

Also, clear your application cache to ensure that the new CORS settings take effect:

php artisan cache:clear
  1. Test the Configuration: Use your browser or a tool like cURL to test the CORS configuration. You should see the Access-Control-Allow-Origin header in the response when you make a request to the PDF service from your allowed origin.

Remember that CORS is a browser-enforced security feature, so if you're still having issues, make sure to check the browser console for any specific error messages that can guide you to the problem. If you're testing with cURL or another non-browser client, CORS won't apply.

1 like

Please or to participate in this conversation.