Laravel Cors

Hello. I am trying to do a crossdomain ajax request from my main domain to (my API domain).

I am receiving (On the client side, when the ajax has been send): Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource

What have I tried?<br>

I tried using header() in my index.php:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS, HEAD');
header('Access-Control-Allow-Headers: origin, Content-Type, Authorization, accept, soapaction, X-CSRF-Token');
header('Access-Control-Max-Age: 2000');

I tried making a middleware:

return $next($request)
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
            ->header('Access-Control-Allow-Headers', 'Content-Type, Accept, Authorization, X-Requested-With, Application');

And now I am trying to use this:


I am also using Laravel 5.4 on IIS, with php 7

I have been trying to get this to work for multiple days, what is the issue?

Have I found anything works? Yes, putting all the headers in web.config works, but I don't want to do that for multiple reasons. It'll enable it on all domains of my Laravel project, along with multiple other reasons.

Routing (web.php):

Route::group(['domain' => '', 'namespace' => 'Api'], function() {
    Route::group(['middleware' => 'cors', 'prefix' => 'ajax'], function() {
        Route::get('/rooms/{id}/get-locked-status', '[email protected]');
        Route::any('/rooms/{id}/update-locked-status', '[email protected]');


protected $middlewareGroups = [
	'web' => [
		// \Illuminate\Session\Middleware\AuthenticateSession::class,

	'api' => [

Cors config:

return [
     | Laravel CORS
     | allowedOrigins, allowedHeaders and allowedMethods can be set to array('*')
     | to accept any value.
    'supportsCredentials' => false,
    'allowedOrigins' => array('*'),
    'allowedHeaders' => array('*'),
    'allowedMethods' => array('*'), // ex: ['GET', 'POST', 'PUT',  'DELETE']
    'exposedHeaders' => [],
    'maxAge' => 0,

JS (Client side):

    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')

function toggleDoors(roomId) {
        url: '' + roomId + '/update-locked-status',
        type: "GET",
        error: function(req, message) {
            alert('Error: ' + message);
        success: function(data) {

function showNotification(notificationText) {
    var notificationArea = $('#notification_area');
    var notification = $("<div>").addClass("ajax-alert success").html(notificationText);


Can anyone help me with this?

GrahamCampbell replied 11 months ago

On Laravel, you should never call the global header function. You must use the object oriented interface.

GrahamCampbell replied 11 months ago

Also, the first result on Google for "Laravel cors" is.

Sign in to participate in this thread!

We'd like to thank these amazing companies for supporting us