Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

astersnake's avatar

Laravel 8 CORS for subdomain API

I'm using Laravel to serve a GraphQL API, using Lighthouse. Everything works fine when I use grapqhl as a URI in the main domain, but when I use it in a subdomain eg. grapql.app.test I get the next error:

Access to fetch at 'http://graphql.app.test/' from origin 'http://app.test' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin'

My config\cors:

'paths' => ['api/*','graphql'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => false,

How can I solve this?

0 likes
7 replies
ismaile's avatar
ismaile
5 years ago
Best Answer
Level 30
  • If your clients and API have the same domain name and you don't want to allow clients from other domains, you can use:
'allowed_origins' => ['*.app.test'],
  • Since you don't use specific paths for your API routes such as api/*, maybe, you could use:
'paths' => ['*'],

Indeed, if you had API routes such as POST http://graphql.app.test/api/posts and POST http://graphql.app.test/api/comments, and all other API routes were starting with api/ as well, it would make sense to use api/*.

I hope this helps.

1 like
marcosdipaolo's avatar

I'm having issues with Laravel 8, as I see everything is configured out of the box, but I'm hitting an /api endpoint from a react app and I'm getting a cors error, any idea?

WadeShuler's avatar

Sorry to hijack this, but it's practically the same thing.

My frontend testsite.test is hitting api.testsite.test. I am getting a CORS error just like the OP. However, after testing, it seems to only be happy if I put the entire URL:

'allowed_origins' => ['https://testsite.test'],

Simply doing *.testsite.test wasn't working nor testsite.test.

Odd that I am having to also pass https:// as well.

Any idea why this is happening to me?

-- EDIT--

FWIW this laracasts page was one of the first results in Google (for however I worded it). So this would be a good place to add more info to help others out in the future stumbling upon this page :)

It seems when sending requests with credentials, the wildcard is not acceptable.

In my case, I am using Inertia (Vue3) with sanctum and laravel sessions. So my JS knows about my logged in user and handles it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

When responding to a credentialed requests request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.

automica's avatar

@wadeshuler can you start a new thread with your issue? This one has been marked as solved so won’t be as visible as a new thread

Please or to participate in this conversation.