Headers and CORS

The headers middleware sets request/response headers and controls CORS for your application.

CORS

To enable CORS headers, add the following section to your configuration.

.rr.yaml
version: "3"

http:
  address: 127.0.0.1:44933
  middleware: ["headers"]
  # ...
  headers:
    cors:
      allowed_origin: "*"
      # If `allowed_origin_regex` option is set, the content of `allowed_origin` is ignored
      allowed_origin_regex: "^http://foo"
      allowed_headers: "*"
      allowed_methods: "GET,POST,PUT,DELETE"
      allow_credentials: true
      exposed_headers: "Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma"
      max_age: 600
      # Status code to use for successful OPTIONS requests. Default value is 200.
      options_success_status: 200
      # Debugging flag adds additional output to debug server side CORS issues, consider disabling in production.
      debug: false

Make sure to declare "headers" middleware.

Since RoadRunner v2023.2.0, the following changes were made:

  • Ability to define status code of successful OPTIONS request via options_success_status config;

  • Debug flag (debug: true/false) was added to enable additional output to debug CORS issues;

  • Allowed to define multiple allowed_origin values separated by comma;

  • CORS requests are handled using rs/cors package.

Custom headers for response or request

You can control additional headers for outgoing responses and headers to be added to requests sent to your application.

.rr.yaml
version: "3"

http:
  # ...
  headers:
      # Automatically add headers to every request passed to PHP.
      request:
        Example-Request-Header: "Value"
    
      # Automatically add headers to every response.
      response:
        X-Powered-By: "RoadRunner"

Last updated

Was this helpful?