Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, I have a weird situation that's been happening for about a year now. Every now and then, for some minutes, all requests who need a preflight request fail, because out of nowhere the 'access-control-allow-...' headers are missing.
I tried restarting the server, clearing the cache, messing around with the order and content of the cors middleware and the headers, and I've found no fix. The only solution is to just come back about 30 minutes later and send the requests again. Only then they start working again.
The only thing I've noticed, is that the headers are back again only if the origin doesn't match. For example, if I put some invalid domain in the 'Access-Control-Allow-Origin' header. But if the headers are correct and matching what needs to match, then they disappear, only to appear again some 30 minutes later.
Having such a sporadic behaviour, and most of the time working correctly, it's been very frustrating and hard to identify why this is happpening. Does anyone have any ideas? I'm using Laravel 7.3.0 as back-end and NuxtJs with Axios as front-end. I'm also using Cloudflare and Docker.
namespace App\Http\Middleware;
use Closure;
use Sentry\Laravel\Facade;
class Cors
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $next($request);
//In case of avatars, header() is not StreamedResponse function.
if ($response instanceof \Symfony\Component\HttpFoundation\StreamedResponse) {
return $response;
}
$IlluminateResponse = 'Illuminate\Http\Response';
$SymfonyResponse = 'Symfony\Component\HttpFoundation\Response';
$JsonResponse = 'Illuminate\Http\JsonResponse';
$headers = [
'Access-Control-Allow-Origin' => "*",
'Access-Control-Allow-Methods' => 'POST, GET, OPTIONS, PUT, PATCH, DELETE',
'Access-Control-Allow-Headers' => 'Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Authorization , Access-Control-Request-Headers',
'Access-Control-Allow-Crendentials' => 'true'
];
if($response instanceof $IlluminateResponse || $response instanceof $JsonResponse) {
foreach ($headers as $key => $value) {
$response->header($key, $value);
}
return $response;
}
if($response instanceof $SymfonyResponse) {
foreach ($headers as $key => $value) {
$response->headers->set($key, $value);
}
return $response;
}
return $response;
}
}
The only solution I've found is to restart the php fpm docker container every time this happens. I've tried various versions, upgrading to php8 as well, and the same issue still occurs. I've set a cron that restarts the container every 4 hours, but in some cases, users still experience issues. I'm really out of ideas.
Did you find any solution? I have the same issue, the CORS error appear randomly. Sometimes there are CORS errors, sometimes they disappear... It's driving me crazy.
@mgksmv If I remember right I just replaced the star in 'Access-Control-Allow-Origin' => "*" with all the front-end domains that had access to that specific laravel backend. But since then I started a few more laravel projects and never had that issue again. Could be due to an older laravel version or bad nginx/apache configuration. Other place to check in case you have your backend under Cloudflare, is if there are any settings that can alter the headers of the requests going through that proxy. It's a tricky error because there are many places where this can go wrong. From what I remember I think the browser actually blocked the requests, so make sure in front-end everything works correctly as well. I was using Vue/Nuxt and was experimenting with some kind of proxy middleware, but sadly don't remember if that helped or not. Best of luck!
Please or to participate in this conversation.