Laravel CORS with Fruitcake
Stefan Izdrail
Founder & Senior Architect · 2026-06-29
Laravel is an excellent PHP framework for web development, but occasionally, you might face challenges when integrating it with React. One of these problems could be Cross-Origin Resource Sharing (CORS) issues. In this blog post, we will discuss common CORS problems in Laravel and how to use the Fruitcake package to solve them.
Understanding Laravel CORS Issues
Cross-Origin Resource Sharing is a way of allowing resources from different domains to be accessed by each other. It helps ensure that sensitive data remains secure while enabling communication between multiple services and applications. However, due to security regulations, browsers restrict access to certain resources across origins.
Configuring CORS in Laravel
To enable your React app to interact with the Laravel API, you'll need to configure proper CORS settings within your Laravel application. Firstly, ensure that CORS is enabled globally by adding a CorsServiceProvider to the providers array of app/config/app.php:
'providers' => [
// ...
Illuminate\Http\Middleware\ValidatePostSize::class,
Fruitcake\Cors\HandleCors::class,
// ...
],
Next, you need to configure the CORS settings. Create a cors.php configuration file in your Laravel project's config folder:
'paths' => ['api/*'],
/*
* Matches the request method. `[*]` allows all methods.
*/
'allowed_methods' => ['*'],
/*
* Matches the request origin. `[*]` allows all origins.
*/
'allowed_origins' => ['*'],
/*
* Matches the request origin with, similar to `Request::is()`
*/
'allowed_origins_patterns' => [],
/*
* Sets the Access-Control-Allow-Headers response header. `[*]` allows all headers.
*/
'allowed_headers' => ['*'],
/*
* Sets the Access-Control-Expose-Headers response header.
*/
'exposed_headers' => false,
/*
* Sets the Access-Control-Max-Age response header.
*/
'max_age' => false,
/*
* Sets the Access-Control-Allow-Credentials header.
*/
'supports_credentials' => false,
The above configuration allows all methods (allowed_methods), origins (allowed_origins), and headers (allowed_headers). It also disables credential support, exposes no extra headers, and sets no max age. Note that you may adjust these settings according to your application's specific needs.
Registering Middleware for CORS
To make use of the Fruitcake configuration, add a line in your kernel file app/Http/Kernel.php beneath the $middleware array as follows:
\Fruitcake\Cors\HandleCors::class,
This will handle the CORS for every request made to your Laravel application.
Common Issues and Troubleshooting
In addition to configuring CORS in Laravel, you might face other issues while integrating with React. Here are some common problems and their solutions:
1. Missing CORS configuration: Ensure that the appropriate CORS settings are set up correctly, as described earlier. 2. Improper use of CORS in React: Ensure that the React app is correctly configured to make cross-origin requests by setting the correct headers or using tools like Axios with credentials enabled. 3. Cross-Origin Request Blocked: To fix this issue, add the Access-Control-Allow-Origin header in Laravel's response or allow all origins in cors.php configuration file. 4. Other CORS issues: To troubleshoot, use browser developer tools to inspect network requests and look for any CORS errors, and adjust your configurations accordingly.In conclusion, understanding and properly configuring CORS settings in Laravel and React can lead to a smoother integration between the two platforms. By following the best practices outlined above and troubleshooting common issues, you'll be well on your way towards building successful web applications.