hasHeader('Origin')) { return $response; } // Add Allow-Origin header $response = $response->withHeader('Access-Control-Allow-Origin', '*'); if ($request->getMethod() !== 'OPTIONS') { return $response; } // Add OPTIONS-specific headers $headers = [ 'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, OPTIONS', // TODO Should be based on path 'Access-Control-Max-Age' => '1000', 'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'), ]; foreach ($headers as $key => $value) { $response = $response->withHeader($key, $value); } return $response; } }