Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

petruspetrus's avatar

CORS Issue with Vue SPA and Laravel API

HI All - I have a vue spa laravel api deployed in two subdomains on a production server which, after some initial CORS configuration issues is working and is saving and returning data as I would expect. There are two case though where I'm still getting CORS problems though. Both are making paginated calls, one for a list of users and the othre for a list of enquiries. The error message I get back is of the type below.

Access to XMLHttpRequest at 'https://apisubdomain.maindomain.com/api/enquiries/?page=&pageNumber=&recordsPerPage=5&nameQuery=&enquiryTypeQuery=&enquiryStatusQuery=' from origin 'https://spasubdomain.maindomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I t looks like the request is failing with a 301 and when I look at the origin and referrer URL they are both https yet the response code header is the same URL as is in the API request but using an http scheme. I can't see any discernible difference in how I make these two API requests from the Vue SPA and it is only these two paginated calls that fail in the app. Any body have any thoughts on what might be happening and/or pointers to fix? Needless to say, both work perfectly fine on localhost.

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

It sounds like you may need to update your CORS configuration to allow for redirects. You can do this by adding the following code to your app/Http/Middleware/Cors.php file:

public function handle($request, Closure $next)
{
    return $next($request)
        ->header('Access-Control-Allow-Origin', '*')
        ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
        ->header('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, X-Token-Auth, Authorization')
        ->header('Access-Control-Allow-Credentials', 'true')
        ->header('Access-Control-Allow-Redirects', 'true');
}

This should allow for the redirects to be accepted by the CORS policy.

petruspetrus's avatar

No. I want to understand why the redirect is happening, why the URL appears to be being rewritten and how to stop it happening in the first place.

Please or to participate in this conversation.