Laravel API cors - request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
Mastering CORS in Laravel: Solving the "Request Header Field Not Allowed" Preflight Error
As developers building modern Single Page Applications (SPAs) with backend APIs, Cross-Origin Resource Sharing (CORS) is an unavoidable hurdle. While setting up simple CORS headers seems straightforward, navigating the complexities of preflight requests (OPTIONS method) and custom header allowances often leads to frustrating errors like the one you encountered: "Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response."
This issue usually stems from a mismatch between the headers the Angular client attempts to send (like Authorization) and the headers your Laravel API explicitly permits in its preflight response. As a senior developer, let's dive deep into why this happens and how to correctly configure CORS within a Laravel environment.
Understanding CORS Preflight Requests
When a browser makes a "complex" request—one that uses non-simple methods (like PUT, DELETE) or custom headers (like Authorization, Content-Type)—it first sends an automatic preliminary request called the CORS preflight request. This is an OPTIONS request sent to the server before the actual request.
The browser asks the server: "Is it safe for this origin (http://localhost:4200) to perform a POST request with these specific headers?"
For the browser to proceed, the server must respond correctly for this OPTIONS request by including appropriate CORS headers, most critically Access-Control-Allow-Headers. If your Laravel middleware doesn't explicitly list every header the client intends to use (including custom ones like Authorization), the browser blocks the subsequent actual request, resulting in the error you saw.
Diagnosing Your Laravel CORS Setup
Let's examine the configuration you provided:
public function handle($request, Closure $next)
{
return $next($request)
->header('Access-Control-Allow-Origin', 'http://localhost:4200')
->header('Access-Control-Allow-Credentials', 'true')
->header('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS,POST,PUT') // Note the trailing quote issue here
->header('Access-Control-Allow-Headers', 'Origin, Content-Type'); // This is the key area
}
The problem lies in the Access-Control-Allow-Headers line. You are currently only allowing Origin and Content-Type. If your Angular application needs to send an Authorization header for authentication (which is common when uploading images or accessing protected data), that header must be explicitly added to this list for the preflight check to pass.
The Solution: Explicitly Allowing All Necessary Headers
To resolve the "Request header field authorization is not allowed" error, you need to update your middleware to include all headers your client might send in the request. Since you are dealing with authentication and file uploads, you likely need to allow standard headers plus any custom ones.
Updated CORS Middleware Implementation
Modify your middleware to explicitly list the headers required by your Angular frontend. For demonstration, if you anticipate needing Authorization and Content-Type, update the line as follows:
public function handle($request, Closure $next)
{
// Define the allowed headers based on client needs
$allowedHeaders = 'Origin, Content-Type, Authorization'; // Added Authorization here!
return $next($request)
->header('Access-Control-Allow-Origin', 'http://localhost:4200')
->header('Access-Control-Allow-Credentials', 'true')
->header('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS,POST,PUT')
// Crucially update this line
->header('Access-Control-Allow-Headers', $allowedHeaders);
}
Why this works: By including Authorization in the Access-Control-Allow-Headers response, you explicitly inform the browser that it is safe to send the Authorization header during the preflight check. This synchronization between client request and server allowance resolves the security block imposed by the CORS policy.
Laravel Best Practices for API Security
When building robust APIs with Laravel, security is paramount. While CORS configuration handles cross-origin communication, remember that authorization logic (like checking if a user has permission to upload an image) must always be enforced on the server side, regardless of how the headers are set. Frameworks like Laravel provide excellent tools for protecting routes and managing authentication, ensuring that even if a CORS error is fixed, your API endpoints remain secure. Always rely on Laravel's built-in authentication guards and authorization system for true access control.
Conclusion
The CORS preflight error regarding disallowed request headers is a classic symptom of incomplete configuration in the Access-Control-Allow-Headers response. By treating the OPTIONS request as a critical part of the communication flow and explicitly listing every header your client intends to use, you ensure that both the browser and the server agree on the allowed communication methods. Implement this principle—explicit allowance for all required headers—to smoothly integrate your Laravel backend with your Angular frontend.