Default CORS сonfiguration #55504
Unanswered
gradecost2
asked this question in
Ideas
Default CORS сonfiguration
#55504
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I suggest modifying the default CORS settings (the config/cors.php file).
The current configuration specifies 'allowed_origins' => ['*'], which means that the API is accessible from all domains. However, this is only appropriate for a public API. In most cases, this setting should specify a list of domains allowed to access the API.
Since these settings are not included in the global project configuration (e.g., .env), most developers tend to overlook them and fail to define restrictions.
Additionally, the CORS settings may vary depending on the development environment, making it inconvenient to store them directly in the config/cors.php file under version control (e.g., Git).
I believe a better approach would be as follows:
File: config/cors.php
'allowed_origins' => explode(',', env('CORS_ALLOWED_DOMAINS', '*')),File: .env
CORS_ALLOWED_DOMAINS=https://www.example1.com,https://www.example2.comThis approach allows for environment-specific configurations, making it easier to manage different CORS settings for development, staging, and production.
Beta Was this translation helpful? Give feedback.
All reactions