hasHeader('Origin')) { return $response; } // Add Allow-Origin header $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeader('Origin')) ->withHeader('Access-Control-Expose-Headers', 'Authorization'); if ($request->getMethod() !== 'OPTIONS') { return $response; } // Add OPTIONS-specific headers foreach ([ 'Access-Control-Allow-Methods' => 'GET,POST,PUT,DELETE,OPTIONS', // TODO Should be based on path 'Access-Control-Max-Age' => '1000', 'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'), ] as $key => $value) { $response = $response->withHeader($key, $value); } return $response; } }