Headers and CORS

Headers middleware is used to set up request/response headers and control CORS for your application.


To enable CORS headers add the following section to your configuration.

version: "3"

  middleware: ["headers"]
  # ...
      allowed_origin: "*"
      # If `allowed_origin_regex` option is set, the content of `allowed_origin` is ignored
      allowed_origin_regex: "^http://foo"
      allowed_headers: "*"
      allowed_methods: "GET,POST,PUT,DELETE"
      allow_credentials: true
      exposed_headers: "Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma"
      max_age: 600
      # Status code to use for successful OPTIONS requests. Default value is 200.
      options_success_status: 200
      # Debugging flag adds additional output to debug server side CORS issues, consider disabling in production.
      debug: false

Make sure to declare "headers" middleware.

Since RoadRunner v2023.2.0 following changes were made:

  • Ability to define status code of successful OPTIONS request via options_success_status config;

  • Debug flag (debug: true/false) was added to enable additional output to debug CORS issues;

  • Allowed to define multiple allowed_origin values separated by comma;

  • CORS requests are handled using rs/cors package.

Custom headers for Response or Request

You can control additional headers to be set for outgoing responses and headers to be added to the request sent to your application.

version: "3"

  # ...
      # Automatically add headers to every request passed to PHP.
        Example-Request-Header: "Value"
      # Automatically add headers to every response.
        X-Powered-By: "RoadRunner"

Last updated