Steps needed to make it work (on Lumen only)

• copy cors.php to config\cors.php
• Then on bootstrap\app.php enable configuration, add this line $app->configure('cors');
• (in my case, I was in question why the cors value is empty)
• Then add this line \Illuminate\Http\Middleware\HandleCors::class to $app->middleware
• Once that done. If you have custom header such as in my case x-api-key you must add it to allowed_headers array example: ['x-api-key']
• Then on your api call such as axios you can add it to your custom headers which is base on this documentation Doc
• Note that the X-Auth-Token should be pass as x-auth-token as I check, the server returns it as small cases.

Hi. I have PHP version 8.1.3.
We have an error for updating Laravel to version 9

Root composer.json requires fruitcake/laravel-cors ^1.2.0, found fruitcake/laravel-cors
[dev-feat-lazyoptions, dev-feat-groupmiddleware, dev-test-single, dev-feat-middlewaretest, 
dev-feat-actions, dev-feat-browsertests, dev-master, dev-v1-backport, dev-feat-prependmiddleware, 
dev-develop, dev-barryvdh-test-laravel9, 
v0.1, ..., 0.11.x-dev, v1.0.0, ..., 1.0.x-dev, v2.0.0-beta1, ..., 2.2.x-dev, v3.0.0, 3.0.x-dev 
(alias of dev-master)] 
but it does not match the constraint.

The Access-Control-Request-Methods header exists in both singular and plural variants.

My firefox sends the plural version, and this package seams to only support the singular version.

Is it necessary to include the Vary header in responses to non-CORS requests that wouldn't be cached anyway?
For example, if the request is a POST or PUT request, which are typically not cached,
do we still need to respond with "Vary: Origin"? Personally, I don't think it's particularly necessary.

Related information:

#24
#25

I have a requirement. The Access-Control-Expose-Headers response header has different response values on different routes. Currently, the cos.php configuration is uniformly configured, but I don't want to return redundant data like this. So I want to ask if there is any way to achieve this requirement?

Can I submit a PR to modify the method at https://github.com/fruitcake/php-cors/blob/master/src/CorsService.php#L261 so that it first obtains the Access-Control-Expose-Headers response header of $response and then responds by merging $this->exposedHeaders?

Hello I switched to Lumen 9.1.6. I had composer saying that laravel-cors has to be replaced. Currently, I have in app.php :

<?php

$app->configure('cors');

$app->middleware([
    Fruitcake\Cors\HandleCors::class,
]);

$app->register(Fruitcake\Cors\CorsServiceProvider::class);

I have replaced \Fruitcake\Cors\HandleCors::class, with \Illuminate\Http\Middleware\HandleCors::class but what about the service provider ?

After enabling the CORS middleware in Laravel, it was found that the "Vary: Origin" header is always added regardless of whether it is a CORS request or not.

I don't think it is necessary if it is not a CORS request.

https://github.com/fruitcake/php-cors/blob/v1.3.0/src/CorsService.php#L218

Hi
we just upgraded to Laravel 9 and PHP 8.1 and noticed the following message in the logs:
strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in vendor/fruitcake/php-cors/src/CorsService.php on line 108

Summary

This proposal aims to enhance the php-cors library by adding support for dynamic of the Access-Control-Expose-Headers header. Currently, this header is set globally, which limits flexibility in scenarios where different routes require different exposed headers.

Motivation

In complex applications, different routes often need to expose different custom headers. The current static, global configuration of Access-Control-Expose-Headers in php-cors doesn't provide the necessary flexibility for such cases. This proposal seeks to address this limitation by allowing developers to dynamically set exposed headers at the controller or middleware level.

Proposed Implementation

1. Modify the CORS middleware to check for an Access-Control-Expose-Headers header in the response object.
2. If present, merge this dynamically set header with the globally configured exposed headers.
3. Use the combined list when setting the final Access-Control-Expose-Headers header in the CORS response.

The changelog is missing the updates for 1.3.0. Can this please be added?