CORS in PHP Applications: 3 Examples

Explore 3 practical examples of implementing CORS in PHP applications to enhance API interoperability.
By Jamie

Understanding CORS in PHP Applications

Cross-Origin Resource Sharing (CORS) is a security feature implemented in web browsers that allows or restricts resources requested from another domain outside the domain from which the resource was served. When building APIs, it’s essential to configure CORS properly to enable client-side applications hosted on different origins to access your API securely. Below are three practical examples of implementing CORS in PHP applications.

Example 1: Basic CORS Configuration

Use Case

This example demonstrates a straightforward CORS implementation that allows requests from a specific origin, making it suitable for APIs that need to be accessed by a known front-end application.

<?php
// Allow only specific origin
header('Access-Control-Allow-Origin: https://example-client.com');

// Allow specific headers
header('Access-Control-Allow-Headers: Content-Type, Authorization');

// Allow specific methods
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');

// Handle preflight requests
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit;
}

// Your API logic goes here
echo json_encode(['message' => 'CORS Configured Successfully!']);
?>

Notes

  • This configuration allows requests only from https://example-client.com. You can modify this origin based on your needs.
  • The OPTIONS method is handled to respond to preflight requests, which is essential when using methods other than GET or POST.

Example 2: Allowing Multiple Origins

Use Case

In scenarios where your API needs to be accessed from multiple different origins, this example shows how to dynamically allow those origins in your PHP application.

<?php
$allowed_origins = ['https://client1.com', 'https://client2.com'];
\(origin = \)_SERVER['HTTP_ORIGIN'];

if (in_array(\(origin, \)allowed_origins)) {
    header('Access-Control-Allow-Origin: ' . $origin);
}

header('Access-Control-Allow-Headers: Content-Type, Authorization');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit;
}

// Your API logic goes here
echo json_encode(['message' => 'CORS for Multiple Origins Configured!']);
?>

Notes

  • This implementation checks if the incoming origin is in the allowed origins array.
  • You can expand the $allowed_origins array to include as many domains as necessary.

Example 3: CORS with Credentials Support

Use Case

This example illustrates how to implement CORS when your API requires credentials (like cookies or HTTP authentication) to be sent with requests. This is common in applications that need user-specific data.

<?php
header('Access-Control-Allow-Origin: https://example-client.com');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: Content-Type, Authorization');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit;
}

// Your API logic goes here
session_start();  // Start session to use cookies
if (isset($_SESSION['user'])) {
    echo json_encode(['message' => 'CORS with Credentials Configured!', 'user' => $_SESSION['user']]);
} else {
    echo json_encode(['message' => 'No user session found.']);
}
?>

Notes

  • The Access-Control-Allow-Credentials header is set to true, which allows the browser to send cookies along with the request.
  • Ensure that the Access-Control-Allow-Origin header is set to a specific origin rather than *, as browsers do not allow credentials with wildcard origins.

By following these examples of CORS in PHP applications, developers can effectively manage cross-origin requests and enhance API accessibility while maintaining security.