Does Laravel handle OPTIONS preflight automatically?

Yes — HandleCors middleware intercepts OPTIONS requests and returns the correct preflight response without any route definition.

Why does Sanctum CORS need supports_credentials: true?

Sanctum uses cookie-based authentication. Cookies require credentials mode. Wildcard origins are forbidden with credentials — you must specify exact origins.

Does config/cors.php apply to web routes?

Only to routes matching the paths array. By default ['api/*'] — web routes are not affected.

CORS

Fix CORS Error in Laravel

Updated April 2026

 Reading this article? Verify your fix in real-time. Test your Laravel CORS config live → CORSFixer

Laravel 7+ ships with built-in CORS support. No package needed. Configure it in config/cors.php and the framework handles OPTIONS preflight automatically.

Browser Console

Access to XMLHttpRequest at 'https://api.yourapp.com/api/users' from origin 'https://yourapp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Laravel 7+ — built-in CORS (no package needed)

# Publish the CORS config if it does not exist
php artisan config:publish cors

# config/cors.php
return [ 'paths' => ['api/*', 'sanctum/csrf-cookie'], 'allowed_methods' => ['*'], 'allowed_origins' => ['https://yourapp.com'], 'allowed_origins_patterns' => [], 'allowed_headers' => ['*'], 'exposed_headers' => [], 'max_age' => 0, 'supports_credentials' => false,  // set true if using cookies
];

The HandleCors middleware is automatically registered globally in Laravel 7+. You do not need to add it to any middleware group — editing config/cors.php is sufficient.

Laravel Sanctum — SPA authentication with cookies

# config/cors.php
return [ 'paths' => ['api/*', 'sanctum/csrf-cookie'], 'allowed_origins' => ['https://yourapp.com'], 'supports_credentials' => true,  // required for Sanctum cookie auth 'allowed_methods' => ['*'], 'allowed_headers' => ['*'],
];

# Also set in .env or config/session.php:
SESSION_DOMAIN=.yourapp.com
SANCTUM_STATEFUL_DOMAINS=yourapp.com

Laravel 6 and below — fruitcake/laravel-cors

composer require fruitcake/laravel-cors

# app/Http/Kernel.php — add to $middleware
protected $middleware = [ \Fruitcake\Cors\HandleCors::class, // ...
];

API-only routes with Passport or JWT

# config/cors.php
'paths' => ['api/*'],
'allowed_headers' => ['Content-Type', 'Authorization', 'X-Requested-With'],
'allowed_methods' => ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
'allowed_origins' => ['https://yourapp.com'],
'supports_credentials' => false, // JWT is stateless, no cookies needed

Clear config cache after changes

php artisan config:clear
php artisan config:cache

Test your Laravel CORS config live → CORSFixer