Laravel 9 - CORS is not working (Access to XMLHttpRequest has been blocked by CORS policy)
Stefan Izdrail
Founder & Senior Architect · 2026-06-29
Title: Resolving Laravel 9 CORS Issues with Vuejs Frontend App
Body: Laravel is a powerful PHP framework for creating elegant web applications. VueJS, on the other hand, is one of the most popular JavaScript libraries to create interactive and reactive user interfaces. The combination of these two technologies is an excellent choice for building responsive frontend-backend applications. However, sometimes you may encounter Cross-Origin Resource Sharing (CORS) issues when accessing API responses from a Vuejs frontend application. In this comprehensive guide, we will discuss the reasons behind such problems and provide solutions to resolve these CORS issues in a Laravel 9 project with a Vuejs frontend application.
Understanding CORS Issues
CORS is a security feature designed to prevent Cross-Site Request Forgery (CSRF) attacks by allowing only specific origins to access resources from different domains. When your Laravel 9 API is hosted on 'http://localhost:8000' and the Vuejs application is running on 'http://127.0.0.1:8080,' there will be an inherent cross-origin access issue if the API response has no 'Access-Control-Allow-Origin' header. This header specifies the origins which can safely access your API resources, and without it, browsers won't allow CORS requests to succeed.Configuring Laravel CORS
To solve this issue, you need to ensure that your Laravel application is sending the required 'Access-Control-Allow-Origin' header in its API responses. You can achieve this through either modifying your `cors.php` file or using a third party library like Valesta. Here's an example of updating `cors.php` to allow all origins:<?php
return [
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => false,
];
This configuration will allow access to the API responses from all origins. However, it is not recommended to keep this setting in production as it may open your resources up to security risks. The best practice would be to restrict the allowed origins to specific domains that require access to your API. For more information on configuring CORS in Laravel, please refer to the official documentation: https://laravel.com/docs/9.x/cors#configuration
Configuring Vuejs Application
If you are using Axios for making HTTP requests from your Vuejs frontend application, you can configure the Axios instance to allow cross-origin access:<script>
import { createApp } from 'vue'
import axios from 'axios'
import VueAxios from 'vue-axios'
const app = createApp(App)
app.use(VueAxios, axios.create({
baseURL: 'http://localhost:8000/api',
withCredentials: true,
crossDomain: true,
}))
app.mount('#app')
This configuration allows your Vuejs application to access the Laravel API responses safely without encountering CORS issues. If you are still facing problems, ensure that your browser's extension or settings are not blocking cross-origin requests.