isMethod('OPTIONS')) { return response('', 204) ->header('Access-Control-Allow-Origin', $this->origin($request)) ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS') ->header('Access-Control-Allow-Headers', 'Authorization, Content-Type, Accept, X-Requested-With, Origin') ->header('Access-Control-Allow-Credentials', 'true') ->header('Access-Control-Max-Age', '86400'); } /** @var Response $response */ $response = $next($request); $response->headers->set('Access-Control-Allow-Origin', $this->origin($request)); $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS'); $response->headers->set('Access-Control-Allow-Headers', 'Authorization, Content-Type, Accept, X-Requested-With, Origin'); $response->headers->set('Access-Control-Allow-Credentials', 'true'); return $response; } /** * Determine the allowed origin for the response. */ private function origin(Request $request): string { if (in_array('*', $this->allowedOrigins)) { return '*'; } $origin = $request->header('Origin', ''); return in_array($origin, $this->allowedOrigins) ? $origin : $this->allowedOrigins[0]; } }