Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

timgavin's avatar

Upgraded from 6 to 10 and now an API page is borked

I just upgraded my Laravel app from 6 to 10. It was using the Spatie CORS package, though I have removed it because of Laravel baking CORS right in.

I have a mobile app I created with the Ionic framework in the App Store which displays a web page (on the API route) from the Laravel app in a web view. This page isn't showing and I'm wondering if it's a CORS issue?

To be clear, the Api is working just fine, so if it was a CORS issue I think the API wouldn't work...?

What's strange is that if I view that API URL in insomnia, I can see the page on my MacBook, but I can't see the page in the mobile app, yet I could when it was on Laravel 6. So maybe it's not CORS...

Is there anything in the upgrade path anyone can think of that would have borked this? Or anything that you can think of that I should check? I'm at a loss on this right now and the app is live!

0 likes
12 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

It's possible that the issue is related to the upgrade from Laravel 6 to 10, but it's also possible that it's unrelated. Here are a few things to check:

  1. Check the Laravel logs to see if there are any errors being thrown when the mobile app tries to access the API page.

  2. Check the network traffic in the mobile app to see if there are any errors being returned by the API.

  3. Check the server logs to see if there are any errors being thrown when the mobile app tries to access the API page.

  4. Check the mobile app code to make sure that it's still sending the auth_token parameter correctly.

  5. Check the API code to make sure that it's still accepting the auth_token parameter correctly.

  6. Check the mobile app code to make sure that it's still handling the response from the API correctly.

  7. Check the API code to make sure that it's still returning the correct response to the mobile app.

If none of these steps help, it may be necessary to do some debugging to figure out what's going wrong. One way to do this is to add some logging statements to the mobile app and the API code to see where the problem is occurring. For example, you could add a log statement to the mobile app that logs the response from the API, and a log statement to the API code that logs the request parameters. This should help you narrow down the problem.

Also, it's worth noting that CORS issues can sometimes be tricky to diagnose, so it's possible that the issue is related to CORS even if the API is still working. If you suspect that this might be the case, you could try adding some debug statements to the Laravel code to see if the CORS middleware is being applied correctly.

// Example of adding debug statements to Laravel code
public function handle($request, Closure $next)
{
    Log::debug('CORS middleware applied');
    return $next($request);
}
timgavin's avatar

@click Yes. Took me several hours too :/

Edit: fruitcake/laravel-cors was abandoned because Laravel now has CORS baked in

click's avatar

@timgavin So you are using the new CORS library including the suggested cors config file? If so; are you able to verify the configuration is exactly the same?

Are you able to debug the ionic app and get an actual error message? Are you able to log the API requests and see if those requests are even hitting your server or not? If not; you are sure it something between the app and your app

timgavin's avatar

@click It's an old app and I wasn't able to find the source code, until now! Tested it in my browser and saw the error message

Refused to display '[THE SITE]' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Not sure where I can fix this in Laravel though; found some old answers but still digging...

click's avatar

@timgavin that can be something on your server (nginx headers) or something in your laravel app. But if you only updated your laravel app and not the server it should be somewhere in your laravel code. Do you have some Content Security Policy (CSP) middleware or implementation of the FrameGuard middleware?

Btw, I notice that https://github.com/fruitcake/laravel-cors is deprecated, in laravel 9 it is integrated. See the readme of the package

timgavin's avatar

@click The only things I have added are spatie/laravel-permission and spatie/laravel-honeypot and I don't think those would do it?

Of course I'm using \Illuminate\Http\Middleware\HandleCors::class in app/Http/Kernel.php

Looking into \Illuminate\Http\Middleware\FrameGuard::class right now...

click's avatar
click
3 years ago
Best Answer
Level 35

@timgavin btw, X-Frame-Options SAMEORIGIN is the default setting of for example Forge Nginx Template.

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

If you did not update your server I would not know out of my head why this would work with laravel 6 and not with laravel 10. But, it is something to check out.

timgavin's avatar

@click Got it!

I edited the Nginx config and changed the X-Frame-Options from SAMEORIGIN to the domain and it's working

add_header X-Frame-Options "ALLOW-FROM mydomain.com";

Appears that ALLOW-FROM isn't as secure, but I don't know what else to do... shrug

Thanks for your help!

click's avatar

@timgavin you could disable the headers and handle it via middleware yourself. There are several packages available but you can also write your own easily as you only need to set some headers via middleware

A tool like this can also "build" the CSP headers for you: https://report-uri.com/home/generate.

The benefit of handling it via Laravel & middleware is that you can easily control it and change it based on the current request.

timgavin's avatar

@click I created some Middleware and it didn't work. Even tried adding a PHP header directly to the page, .htaccess rules, etc. and nothing worked except for updating the NginX config.

I'll definitely take a look at those though, thanks!

Please or to participate in this conversation.