apiCorsAllowedOriginList has no effect with .htaccess apache header - CORS Middleware

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Alexis
    Junior Member
    • Apr 2025
    • 18

    #1

    apiCorsAllowedOriginList has no effect with .htaccess apache header - CORS Middleware

    Hello,

    I succeeded in allowing CORS middleware.

    But apiCorsAllowedOriginList seems to have no effect if you add mod_headers in your .htaccess

    Like him in this post, I had to add headers to make the CORS middleware works :
    Good Day, I am trying to access EspoCRM Api from another domain. Locally this is both on localhost but the requesting app runs port 5173, EspoCRM on 8082. See first screenshot attached. CORS Middleware has been added recently (https://github.com/espocrm/espocrm/pull/2754) but when I add the supplied config to /data/config.php


    And when mod_headers are added then, it seems apiCorsAllowedOriginList has no effect

    So I made it works ! Yeah !
    So for info here is the code :

    Here is my .htaccess file /public/api/v1/.htaccess
    Code:
    <IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "https://LANDINGPAGEwebsite.com"
    Header always set Access-Control-Allow-Methods "POST, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Accept, X-Api-Key"
    Header always set Access-Control-Allow-Credentials "true"
    </IfModule>
    Added this on data/config.php
    Code:
    return [
    'apiCorsAllowedOriginList' => [
    0 => 'https://FAKEwebsite.com' // I allowed ONLY one other website to test but I could post from "https://LANDINGPAGEwebsite.com" so it had no effect. I can remove it completely
    ],
    'apiCorsAllowedMethodList' => [ // I only allowed POST and OPTIONS in my case, but here the possibilities from what I
    0 => 'GET',
    1 => 'POST',
    2 => 'PUT',
    3 => 'PATCH',
    4 => 'DELETE',
    5 => 'OPTIONS'
    ],
    'apiCorsAllowedHeaderList' => [
    0 => 'Content-Type',
    1 => 'Accept',
    2 => 'X-Api-Key'
    ],
    ------
    For the record and for anyone who is struggling with the CORS Middleware, here is the rest of my files as an example.

    Added this in custom/Espo/Custom/Resources/routes.json
    Code:
    [
        {
            "route": "/Lead/:id",
            "method": "options"
        },
        {
            "route": "/Lead",
            "method": "options"
        }
    ]
    this in custom/Espo/Custom/Resources/metadata/app/api.json
    Code:
    {
    "globalMiddlewareClassNameList": [
    "Espo\\Tools\\Api\\Cors\\Middleware"
    ]
    }
    So it works. I had to modify/create 4 files in total.

    I'm sharing this mostly for other people, but if anyone can answer theses 2 questions :

    1. Is it normal ? Maybe .htaccess rules overwrite config.php rules and that's normal.
    2. In which case apiCorsAllowedOriginList works ?

    Have a great day.
    ​---
    After further looking, it seems a normal behavior.
    But I'm happy to share what made it works.
    Last edited by Alexis; Today, 02:40 PM.
Working...