How to fix blocked by CORS policy?

vintoICT · May 15, 2026, 9:37am

Access to XMLHttpRequest at 'http://localhost/server2026/api/login' from origin 'http://localhost:8100' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status. I was able to fix this in 2024 via API/index.php with

// Add CORS middleware

$app->add(new CorsMiddleware([

"Access-Control-Allow-Origin" => "*",

"Access-Control-Allow-Headers" => "X-Requested-With, Origin, X-Authorization, Content-Type, Authorization, Accept, Cache-Control, Pragma, Expires",

"Access-Control-Allow-Methods" => "GET, POST, PUT, PATCH, DELETE, OPTIONS",

"Access-Control-Allow-Credentials" => "false"

]));

// Add routing middleware (after CORS middleware so routing is performed first)

$app->addRoutingMiddleware();

// Handle preflight OPTIONS requests

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {

header('Access-Control-Allow-Origin: *');

header('Access-Control-Allow-Headers: X-Requested-With, Origin, X-Authorization, Content-Type, Authorization, Accept, Cache-Control, Pragma, Expires');

header('Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS');

header('Access-Control-Allow-Credentials: false');

http_response_code(200);

exit();

}

but i dont know how to fix this in 2026 . Thank you

arbei · May 15, 2026, 1:33pm

You need to add config/packages/nelmio_cors.yaml and add the paths part for '^/api/' (don't add the defaults part).

Read Symfony docs for details.

OR, you may try to enable origin_regex and set the advanced setting Access-Control-Allow-Origin as:
^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$|^https?://(www\.)?yourdomain\.com$

vintoICT · May 15, 2026, 2:17pm

<?php declare(strict_types=1); namespace Symfony\\Component\\DependencyInjection\\Loader\\Configurator; use function PHPMaker2026\apaserverapi\\Config; return App::config(\[ 'nelmio_cors' => \[ // The options defined under defaults are the default values applied to all the paths that match, // unless overridden in a specific URL configuration. If you want them to apply to everything, // you must define a path with ^/. // See https://symfony.com/bundles/NelmioCorsBundle/current/index.html#configuration // 'defaults' => Config('CORS'), // The paths array defines the rules for specific URL patterns. The keys are regular expressions that match the request path. 'paths' => \[ '^/api/' => \[ 'allow_origin' => \['\*'\], 'allow_headers' => \['X-Custom-Auth'\], 'allow_methods' => \['POST', 'PUT', 'GET', 'DELETE'\], 'max_age' => 3600, \], '^/' => \[ 'origin_regex' => true, 'allow_origin' => \['^http://localhost:\[0-9\]+'\], 'allow_headers' => \['X-Custom-Auth'\], 'allow_methods' => \['POST', 'PUT', 'GET', 'DELETE'\], 'max_age' => 3600, 'hosts' => \['^api\\\\.'\], \], \], \], \]); This is what i have now