Make sure to read carefully what CORS does and does not. CORS do not secure your API,
but allow the developer to grant access to third party code (ajax calls from external domain).
You may use CORS filter by attaching it as a behavior to a controller or module, like the following,
php
public function behaviors()
{
return [
'corsFilter' => [
'class' => \yii\filters\Cors::className(),
],
];
}
The CORS filter can be specialized to restrict parameters, like this,
MDN CORS Information
php
public function behaviors()
{
return [
'corsFilter' => [
'class' => \yii\filters\Cors::className(),
'cors' => [
restrict access to
'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'],
'Access-Control-Request-Method' => ['POST', 'PUT'],
Allow only POST and PUT methods
'Access-Control-Request-Headers' => ['X-Wsse'],
Allow only headers 'X-Wsse'
'Access-Control-Allow-Credentials' => true,
Allow OPTIONS caching
'Access-Control-Max-Age' => 3600,
Allow the X-Pagination-Current-Page header to be exposed to the browser.
'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'],
],
],
];
}
For more information on how to add the CORS filter to a controller, see
the Guide on REST controllers.
public function behaviors() { $behaviors = parent::behaviors(); $behaviors['authenticator'] = ['class' => HttpBearerAuth::className(), 'except' => ['options']]; $behaviors['corsFilter'] = ['class' => Cors::className()]; return $behaviors; }
public function behaviors() { // Options Request Behavior must going at first because swagger makes OPTIONS requests before POST // and this behavior must run early than VerbsFilter $behaviors = ['optionsRequestFilter' => OptionsRequestFilter::className()]; $behaviors = array_merge($behaviors, parent::behaviors(), ['contentNegotiator' => ['class' => ContentNegotiator::className(), 'formats' => ['application/json' => Response::FORMAT_JSON]], 'corsFilter' => Cors::className(), 'authenticator' => QueryParamAuthSwagger::className()]); return $behaviors; }
public function behaviors() { $behaviors = parent::behaviors(); // SEE https://github.com/yiisoft/yii2/pull/8626 //$behaviors['corsFilter'] = [ $behaviors[0] = ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'], 'Access-Control-Request-Headers' => ['*'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Expose-Headers' => ['Link', 'X-Pagination-Current-Page', 'X-Pagination-Page-Count', 'X-Pagination-Per-Page', 'X-Pagination-Total-Count']]]; //$behaviors['authenticator'] = [ $behaviors[1] = ['class' => \yii\filters\auth\HttpBearerAuth::className(), 'except' => ['options']]; return $behaviors; }
/** * @inheritdoc */ public function behaviors() { $self = $this; return ['access' => ['class' => AccessControl::className(), 'only' => ['logout', 'signup'], 'rules' => [['actions' => ['signup'], 'allow' => true, 'roles' => ['?']], ['actions' => ['logout'], 'allow' => true, 'roles' => ['@']]], 'denyCallback' => function ($rule, $action) use($self) { if ('signup' == $action->id) { return $self->afterLogin(); } else { return $self->redirect(['site/index']); } }], 'verbs' => ['class' => VerbFilter::className(), 'actions' => []], 'corsFilter' => ['class' => \yii\filters\Cors::className()]]; }
public function behaviors() { $behaviors = parent::behaviors(); if ($this->jsonCallback) { $behaviors['contentNegotiator']['formats']['*/*'] = Response::FORMAT_JSONP; $behaviors['contentNegotiator']['formats']['application/xml'] = Response::FORMAT_JSONP; $behaviors['contentNegotiator']['formats']['application/json'] = Response::FORMAT_JSONP; } else { $behaviors['contentNegotiator']['formats']['*/*'] = Response::FORMAT_JSON; $behaviors['contentNegotiator']['formats']['application/xml'] = Response::FORMAT_JSON; $behaviors['contentNegotiator']['formats']['application/json'] = Response::FORMAT_JSON; } $behaviors['corsFilter'] = ['class' => yii\filters\Cors::className(), 'cors' => Yii::$app->params['cors']]; return $behaviors; }
public function behaviors() { $behaviors = parent::behaviors(); // $behaviors['corsFilter'] = // [ // 'class' => Cors::className(), // 'cors' => [ // 'Origin' => ['http://erp.local'], // 'Origin' => ['*'], // 'Access-Control-Request-Method' => ['GET', 'HEAD', 'OPTIONS'], // ], // ]; $behaviors['cors'] = ['class' => Cors::className()]; return $behaviors; }
/** * @internal * Only allows POST requests to the hook endpoints */ public function behaviors() { return ['verbs' => ['class' => VerbFilter::className(), 'actions' => ['index' => ['get'], 'view' => ['get']]], 'corsFilter' => ['class' => Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET', 'HEAD']]]]; }
public function behaviors() { return ArrayHelper::merge(parent::behaviors(), ['contentNegotiator' => ['class' => ContentNegotiator::className(), 'formats' => ['application/json' => 'jsonrpc']], 'authenticator' => ['class' => CompositeAuth::className(), 'optional' => ['index'], 'authMethods' => [UserAuth::className(), QueryParamAuth::className(), HttpBearerAuth::className()]], 'corsFilter' => ['class' => Cors::className()]]); }
public function behaviors() { return ['corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['POST'], 'Access-Control-Request-Headers' => ['*']]]]; }
/** * @var User User for check access. */ public function behaviors() { return ['verbs' => ['class' => VerbFilter::className(), 'actions' => ['delete' => ['post']]], 'corsFilter' => ['class' => \yii\filters\Cors::className()]]; }
/** * @inheritdoc */ public function behaviors() { return ['contentNegotiator' => ['class' => ContentNegotiator::className(), 'formats' => ['application/json' => Response::FORMAT_JSON, 'application/xml' => Response::FORMAT_XML]], 'corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'], 'Access-Control-Request-Headers' => ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Authorization'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Max-Age' => 86400, 'Access-Control-Expose-Headers' => []]], 'authenticator' => ['class' => HttpBearerAuth::className(), 'only' => ['dashboard']]]; }
public function behaviors() { return \yii\helpers\ArrayHelper::merge(parent::behaviors(), [['class' => 'yii\\filters\\ContentNegotiator', 'formats' => ['application/json' => Response::FORMAT_JSON]], 'corsFilter' => ['class' => \yii\filters\Cors::className()]]); }
<?php $config = ['components' => ['assetManager' => ['class' => 'yii\\web\\AssetManager', 'linkAssets' => true, 'appendTimestamp' => YII_ENV_DEV]], 'as locale' => ['class' => 'common\\behaviors\\LocaleBehavior', 'enablePreferredLanguage' => true], 'as corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => array_merge(['https://fr.proxfree.com', 'http://fr.proxfree.com', 'http://proxfree.com', Yii::getAlias('@frontendUrl'), Yii::getAlias('@backendUrl')], explode(',', Yii::getAlias('@frontendUrls')))]]]; if (YII_DEBUG) { /* $config['bootstrap'][] = 'debug'; $config['modules']['debug'] = [ 'class' => 'yii\debug\Module', 'allowedIPs' => ['127.0.0.1', '::1', '192.168.33.1'], ]; */ } if (YII_ENV_DEV) { $config['modules']['gii'] = ['allowedIPs' => ['127.0.0.1', '::1', '192.168.33.1']]; } return $config;
public function behaviors() { return ['corsFilter' => ['class' => \yii\filters\Cors::className()]]; }
public function behaviors() { return ArrayHelper::merge([['class' => Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET'], 'Access-Control-Request-Headers' => ['*']]]], parent::behaviors()); }
/** * @inheritdoc */ public function behaviors() { return ArrayHelper::merge([['class' => Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'], 'Access-Control-Request-Headers' => ['*'], 'Access-Control-Allow-Headers' => ['*'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Expose-Headers' => ['Link', 'X-Pagination-Current-Page', 'X-Pagination-Page-Count', 'X-Pagination-Per-Page', 'X-Pagination-Total-Count']]], 'authenticator' => ['class' => CompositeAuth::className(), 'except' => $this->authenticatorExceptions, 'authMethods' => [['class' => HttpBearerAuth::className()], ['class' => QueryParamAuth::className(), 'tokenParam' => 'accessToken']]], 'exceptionFilter' => ['class' => ErrorToExceptionFilter::className()]], parent::behaviors()); }
public function behaviors() { $behaviors = parent::behaviors(); $behaviors['corsFilter'] = ['class' => Cors::className(), 'cors' => ['Origin' => ['http://erp.local']]]; return $behaviors; }
public function behaviors() { return ArrayHelper::merge([['class' => Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'], 'Access-Control-Request-Headers' => ['*']]]], parent::behaviors()); }
public function behaviors() { $behaviors = parent::behaviors(); $behaviors['authenticator'] = ['class' => HttpBearerAuth::className(), 'only' => ['logout', 'test']]; return \yii\helpers\ArrayHelper::merge([['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Allow-Origin' => ['*'], 'Access-Control-Request-Method' => $this->_verbs, 'Access-Control-Request-Headers' => ['*']]]], $behaviors); }
public function behaviors() { return ArrayHelper::merge(parent::behaviors(), ['authenticator' => ['class' => CompositeAuth::className(), 'authMethods' => [['class' => HttpBearerAuth::className()], ['class' => QueryParamAuth::className()]]], 'bootstrap' => ['class' => ContentNegotiator::className(), 'formats' => ['application/json' => Response::FORMAT_JSON, 'charset' => 'UTF-8'], 'languages' => ['en', 'de']], 'corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => ['http://lukisongroup.com', 'http://lukisongroup.int'], 'Access-Control-Request-Method' => ['POST', 'PUT', 'GET'], 'Access-Control-Request-Headers' => ['X-Wsse'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Max-Age' => 3600, 'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page']]]]); }
public function behaviors() { $behaviors = parent::behaviors(); $behaviors['corsFilter'] = ['class' => Cors::className()]; return $behaviors; }
public function behaviors() { return ArrayHelper::merge(parent::behaviors(), ['authenticator' => ['class' => CompositeAuth::className(), 'authMethods' => [['class' => HttpBearerAuth::className()], ['class' => QueryParamAuth::className(), 'tokenParam' => 'access-token']]], 'bootstrap' => ['class' => ContentNegotiator::className(), 'formats' => ['application/json' => Response::FORMAT_JSON]], 'corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => ['http://ptrnov-erp.dev', 'https://ptrnov-erp.dev'], 'Access-Control-Request-Method' => ['POST', 'PUT'], 'Access-Control-Request-Headers' => ['X-Wsse'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Max-Age' => 3600, 'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page']]]]); }
public function behaviors() { return \yii\helpers\ArrayHelper::merge(parent::behaviors(), ['corsFilter' => ['class' => \yii\filters\Cors::className()]]); }
public function behaviors() { return ['access' => ['class' => AccessControl::className(), 'rules' => [['actions' => ['acceso-usuario', 'crear-cuenta', 'restablecimiento', 'auth', 'error'], 'allow' => true, 'roles' => ['?']], ['actions' => ['error', 'salir', 'acceso-usuario', 'crear-cuenta', 'auth', 'restablecimiento', 'eliminar-cuenta', 'index', 'publicar-articulo', 'editar', 'eliminar', 'mis-datos', 'mensajes', 'mensaje', 'configuracion', 'favoritos', 'imagenperfil', 'addimagenes', 'delimagenes'], 'allow' => true, 'roles' => ['@']], ['actions' => ['descuentos', 'publicar-descuento', 'subcategos-descuentos'], 'allow' => true, 'roles' => ['admin', 'vendedor', 'empresa', 'empleado']]]], 'verbs' => ['class' => VerbFilter::className(), 'actions' => ['salir' => ['post'], 'imagenperfil' => ['post'], 'auth' => ['get'], 'eliminar-cuenta' => ['post']]], 'corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => [], 'actions' => ['salir' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['POST', 'GET'], 'Access-Control-Request-Headers' => ['*'], 'Access-Control-Allow-Credentials' => null, 'Access-Control-Max-Age' => 86400, 'Access-Control-Expose-Headers' => []], 'acceso-usuario' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['POST', 'GET'], 'Access-Control-Request-Headers' => ['*'], 'Access-Control-Allow-Credentials' => null, 'Access-Control-Max-Age' => 86400, 'Access-Control-Expose-Headers' => []]]]]; }
/** * @inheritdoc */ public function behaviors() { return ['access' => ['class' => AccessControl::className(), 'only' => ['logout', 'signup'], 'rules' => [['actions' => ['signup'], 'allow' => true, 'roles' => ['?']], ['actions' => ['logout'], 'allow' => true, 'roles' => ['@']]]], 'verbs' => ['class' => VerbFilter::className(), 'actions' => ['logout' => ['post']]], 'corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => ['http://192.168.1.55:8080'], 'Access-Control-ReactionGet_landing_sliderquest-Method' => ['GET'], 'Access-Control-Request-Headers' => ['X-Wsse'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Max-Age' => 3600, 'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page']]]]; }
/** * @inheritdoc */ public function behaviors() { return [['class' => Cors::className(), 'cors' => ['Origin' => $this->accessControlRequestOrigin, 'Access-Control-Request-Headers' => $this->accessControlRequestHeaders, 'Access-Control-Request-Method' => $this->accessControlRequestMethod]], 'contentNegotiator' => ['class' => ContentNegotiator::className(), 'formats' => ['application/json' => Response::FORMAT_JSON, 'text/html' => Response::FORMAT_HTML]]]; }
public function behaviors() { return ArrayHelper::merge(parent::behaviors(), ['corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => ['*'], 'Access-Control-Request-Method' => ['POST', 'PUT', 'GET'], 'Access-Control-Request-Headers' => ['X-Wsse'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Max-Age' => 3600, 'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page']]]]); }
<?php $config = ['homeUrl' => Yii::getAlias('@apiUrl'), 'controllerNamespace' => 'api\\controllers', 'defaultRoute' => 'sitemap/default/index', 'layout' => false, 'modules' => require __DIR__ . '/_modules.php', 'components' => ['request' => ['cookieValidationKey' => getenv('API_COOKIE_VALIDATION_KEY')], 'user' => ['class' => 'yii\\web\\User', 'identityClass' => 'api\\models\\ApiUserIdentity']], 'as corsFilter' => ['class' => \yii\filters\Cors::className(), 'cors' => ['Origin' => array_merge([Yii::getAlias('@frontendUrl')], explode(',', Yii::getAlias('@frontendUrls')))]]]; if (YII_ENV_DEV) { $config['modules']['gii'] = ['class' => 'yii\\gii\\Module', 'generators' => ['crud' => ['class' => 'yii\\gii\\generators\\crud\\Generator', 'messageCategory' => 'api']]]; } if (YII_ENV_PROD) { // Maintenance mode $config['bootstrap'] = ['maintenance']; $config['components']['maintenance'] = ['class' => 'common\\components\\maintenance\\Maintenance', 'enabled' => function ($app) { return $app->keyStorage->get('api_maintenance') === 'true'; }]; } return $config;