Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

CDSchultz's avatar

CORS no 'Access-Control-Allow-Origin' header is present

I have a Laravel 6 project with an external API, other laravel applications can access this API with no issues however everytime I try to access with axios from another site i get..

Access to XMLHttpRequest at 'https://blablah.com/app/api/ext/extSMS' from origin 'http://172.17.1.7:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

my axios

        let api = axios.create({
          baseURL: 'https://blablah.com/app/api/ext/extSMS',
          method: 'post',
          headers: {
            'Authorization':$apikey
          },
          timeout: 100000
        });

        let form_params= {
          appId: '3',
          recpNum: '8888888888',
          recpName: 'John Demo',
          recpMsg: 'Hello World',
          msgType: '2',
          recpComment: "Hello World"

        }

        api.post('', form_params)
          .then(response => {
            console.log('success', response.data.message)
          }).catch(error => {
            console.log(error.toJSON())
          });

I have tried using the Cors.php middleware into the route with no success along with countless other articles found on stack overflow. Any guidance would be appreciated.

0 likes
5 replies
CDSchultz's avatar

Kernal.php Where i put in the cors

    protected $routeMiddleware = [
        'auth' => \App\Http\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'auth.key' => \App\Http\Middleware\AuthenticateWithAPIKey::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
        'cors' => \App\Http\Middleware\Cors::class
    ];

My api.php

Route::prefix('ext')->group(function() {
  Route::group(['middleware' => ['cors', 'auth.key']], function(){
    Route::post('extSMS', 'MessageController@extSMS');
  });

My Cors.php

<?php

namespace App\Http\Middleware;

use Closure;

class Cors
{
  /**
  * Handle an incoming request.
  *
  * @param  \Illuminate\Http\Request  $request
  * @param  \Closure  $next
  * @return mixed
  */
  public function handle($request, Closure $next)
  {
    return $next($request)
    ->header('Access-Control-Allow-Origin', '*')
    ->header('Access-Control-Allow-Methods', 'OPTIONS, GET, POST, PUT, DELETE')
    ->header('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, X-Token-Auth, Authorization');
  }
}
CDSchultz's avatar
CDSchultz
OP
6 years ago
Best Answer
Level 3

So went for a deep dive into other CORS conversations on here and found this link.

https://www.sltech.club/single/how-to-fixed-laravel-cors-error-without-having-any-package-access-control-allow-origin-error

it has me add my headers to the api.php file

<?php

use Illuminate\Http\Request;

/*
|--------------------------------------------------------------------------
| API Routes
|--------------------------------------------------------------------------
|
| Here is where you can register API routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| is assigned the "api" middleware group. Enjoy building your API!
|
*/

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE');
header('Access-Control-Allow-Headers: Content-Type, X-Auth-Token, Origin, Authorization');

//your api routes in here

I'm just curious as to the possible impacts doing this could cause. I do not plan on leaving the origin as '*' and will account for each site that may make the call. However I'm not sure any other issues could arise so I turn to you the experts.

Seasky's avatar

Could you find a better solution @cdschultz? I tried all the possible solution existent, but only putting the headers in api.php worked for me.

R3N's avatar

I solved this issue. I was careless and missed some steps in:

  1. https://github.com/fruitcake/laravel-cors
  2. php artisan vendor:publish --tag="cors"
  3. Will generate a config/cors.php file
  4. inside change the path to 'paths' => ['api/*'],
ronaldgevern's avatar

Basically, using ajax with local resources doesn't work.

Chrome and Safari has a restriction on using ajax with local resources. This error means that you are trying to perform Ajax on a local file. This is forbidden for security reasons.

In order to solve this problem, you can use firefox or upload your data to a temporary server. If you still want to use Chrome, start it with the below option;

--allow-file-access-from-files

Also, this kind of trouble is now partially solved simply by using the following jQuery instruction:

$.support.cors = true;

http://net-informations.com/jq/iq/default.htm

Please or to participate in this conversation.