Laravel Cors

Hello. I am trying to do a crossdomain ajax request from my main domain to (my API domain).

I am receiving (On the client side, when the ajax has been send): Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource

What have I tried?<br>

I tried using header() in my index.php:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS, HEAD');
header('Access-Control-Allow-Headers: origin, Content-Type, Authorization, accept, soapaction, X-CSRF-Token');
header('Access-Control-Max-Age: 2000');

I tried making a middleware:

return $next($request)
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
            ->header('Access-Control-Allow-Headers', 'Content-Type, Accept, Authorization, X-Requested-With, Application');

And now I am trying to use this:


I am also using Laravel 5.4 on IIS, with php 7

I have been trying to get this to work for multiple days, what is the issue?

Have I found anything works? Yes, putting all the headers in web.config works, but I don't want to do that for multiple reasons. It'll enable it on all domains of my Laravel project, along with multiple other reasons.

Routing (web.php):

Route::group(['domain' => '', 'namespace' => 'Api'], function() {
    Route::group(['middleware' => 'cors', 'prefix' => 'ajax'], function() {
        Route::get('/rooms/{id}/get-locked-status', '[email protected]');
        Route::any('/rooms/{id}/update-locked-status', '[email protected]');


protected $middlewareGroups = [
	'web' => [
		// \Illuminate\Session\Middleware\AuthenticateSession::class,

	'api' => [

Cors config:

return [
     | Laravel CORS
     | allowedOrigins, allowedHeaders and allowedMethods can be set to array('*')
     | to accept any value.
    'supportsCredentials' => false,
    'allowedOrigins' => array('*'),
    'allowedHeaders' => array('*'),
    'allowedMethods' => array('*'), // ex: ['GET', 'POST', 'PUT',  'DELETE']
    'exposedHeaders' => [],
    'maxAge' => 0,

JS (Client side):

    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')

function toggleDoors(roomId) {
        url: '' + roomId + '/update-locked-status',
        type: "GET",
        error: function(req, message) {
            alert('Error: ' + message);
        success: function(data) {

function showNotification(notificationText) {
    var notificationArea = $('#notification_area');
    var notification = $("<div>").addClass("ajax-alert success").html(notificationText);


Can anyone help me with this?

GrahamCampbell replied 1 year ago

On Laravel, you should never call the global header function. You must use the object oriented interface.

GrahamCampbell replied 1 year ago

Also, the first result on Google for "Laravel cors" is.

Sign in to participate in this thread!

We'd like to thank these amazing companies for supporting us