christoph-kluge / reactphp-http-cors-middleware
A cors middleware for the ReactPHP HTTP-Server
Installs: 10 491
Dependents: 3
Suggesters: 0
Security: 0
Stars: 10
Watchers: 4
Forks: 5
Open Issues: 1
Requires
- php: >=5.6.0
- neomerx/cors-psr7: ^1.0
- psr/http-message: ^1.0
- react/http: ^1.0.0
- react/promise: ^2.5
Requires (Dev)
- phpunit/phpunit: ^4.8.10||^5.0
- ringcentral/psr7: ^1.2
This package is auto-updated.
Last update: 2024-12-21 22:38:34 UTC
README
This middleware implements Cross-origin resource sharing for ReactPHP. This repository got mainly inspired by tuupola/cors-middleware. Additional configuration ideas got taken from barryvdh/laravel-cors and nelmio/NelmioCorsBundle. The internal heavy lifting is done by neomerx/cors-psr7 library.
Install
To install via Composer, use the command below, it will automatically detect the latest version and bind it with ^
.
composer require christoph-kluge/reactphp-http-cors-middleware
This middleware will detect CORS requests and will intercept the request if there is something invalid.
Usage
$server = new HttpServer( new CorsMiddleware(), function (ServerRequestInterface $request, callable $next) { return new Response(200, ['Content-Type' => 'text/html'], 'We test CORS'); }, );
Configuration
The defaults for this middleware are mainly taken from enable-cors.org.
Available configuration options
Thanks to expressjs/cors#configuring-cors. As I took most configuration descriptions from there.
server_url
: can be used to set enable strictHost
header checks to avoid malicious use of our server. (default:null
)response_code
: can be used to set the HTTP-StatusCode on a successfulOPTIONS
/ Pre-Flight-Request (default:204
)allow_credentials
: Configures theAccess-Control-Allow-Credentials
CORS header. Expects an boolean (ex:true
// to set the header)allow_origin
: Configures theAccess-Control-Allow-Origin
CORS header. Expects an array (ex:['http://example.net', 'https://example.net']
).allow_origin_callback
: Will setallow_origin
to an empty array[]
and use the callback on a per-request base. The first parameter is an instance ofParsedUrlInterface
and the callback is expected to return anboolean
.allow_methods
: Configures theAccess-Control-Allow-Methods
CORS header. Expects an array (ex:['GET', 'PUT', 'POST']
).allow_headers
: Configures theAccess-Control-Allow-Headers
CORS header. Expects an array (ex:['Content-Type', 'Authorization']
).expose_headers
: Configures theAccess-Control-Expose-Headers
CORS header. Expects an array (ex:['Content-Range', 'X-Content-Range']
).max_age
: Configures theAccess-Control-Max-Age
CORS header. Expects an integer representing seconds (ex:1728000
// 20 days)
Default Settings (Allow All CORS Requests)
$settings = [ 'allow_credentials' => true, 'allow_origin' => ['*'], 'allow_methods' => ['GET', 'POST', 'PUT', 'DELETE', 'HEAD', 'OPTIONS'], 'allow_headers' => ['DNT','X-Custom-Header','Keep-Alive','User-Agent','X-Requested-With','If-Modified-Since','Cache-Control','Content-Type','Content-Range','Range'], 'expose_headers' => ['DNT','X-Custom-Header','Keep-Alive','User-Agent','X-Requested-With','If-Modified-Since','Cache-Control','Content-Type','Content-Range','Range'], 'max_age' => 60 * 60 * 24 * 20, // preflight request is valid for 20 days ];
Allow specific origins (Origin requires scheme, host and optionally port)
$server = new HttpServer( new CorsMiddleware([ 'allow_origin' => [ 'http://www.example.net', 'https://www.example.net', 'http://www.example.net:8443', ], ]) );
Allow origins on a per-request base (callback)
$server = new HttpServer( new CorsMiddleware([ 'allow_origin' => [], 'allow_origin_callback' => function(ParsedUrlInterface $origin) { // do some evaluation magic with origin .. return true; }, ]) );
Use custom response code on pre-flight requests
Some legacy browsers choke on 204. Thanks to expressjs/cors#configuring-cors for that.
$server = new HttpServer( new CorsMiddleware([ 'response_code' => 200, ]) );
Use strict host checking
The default handling of this middleware will allow any "Host"-header. This means that you can use your server with any hostname you want. This might be a desired behavior but allows also the misuse of your server.
To prevent such a behavior there is a server_url
option which will enable strict host checking. In this scenario
the server will return a 403
with the body Origin not allowed
.
$server = new HttpServer( new CorsMiddleware([ 'server_url' => 'http://api.example.net:8080' ]) );
License
The MIT License (MIT)
Copyright (c) 2017 Christoph Kluge
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.