graycore / magento2-cors
graycore/magento2-cors
A Magento 2 module that enables CORS on the GraphQL and REST Apis
Magento 2 CORS
Magento Version Support
Ever try to work with the Magento GraphQL API or REST API from your browser and see the following?
Access to XMLHttpRequest at 'https://my.magento.app' from origin 'http://my.webapp.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This package allows you to securely add the necessary CORS headers to the Magento 2 GraphQL or REST APIs with ease.
Purpose
When building a headless application for Magento, or working with a client that respects the CORS protocol, you will need CORS headers on your backend resource.
This package will add configurable CORS Resource headers to the Magento 2 GraphQL or REST APIs, allowing you to access the GraphQL or REST APIs from your browser.
Getting Started
This module is intended to be installed with composer. From the root of your Magento 2 project:
- Download the package
composer require graycore/magento2-cors
- Configure the package
- Enable the package
./bin/magento module:enable Graycore_Cors
Features
-
Respects the full CORS Protocol
Access-Control-Allow-OriginAccess-Control-Allow-MethodsAccess-Control-Allow-HeadersAccess-Control-Max-AgeAccess-Control-Expose-HeadersAccess-Control-Allow-Credentials
Helpful Links
Upgrading
Changelog
All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
2.1.3 (2026-05-18)
Miscellaneous Chores
- deps: bump googleapis/release-please-action from 4 to 5 (#96) (f402f78)
- deps: bump graycoreio/github-actions-magento2 (#98) (ec4e3c3)
- deps: bump graycoreio/github-actions-magento2 from 7.0.0 to 8.2.0 (#102) (0b872fa)
- deps: bump graycoreio/github-actions-magento2/.github/workflows/check-extension.yaml (#99) (77f4313)
2.1.2 (2026-02-27)
Miscellaneous Chores
- remove extraneous nodejs deps (0515bee)
2.1.1 (2025-04-15)
Bug Fixes
- prevent 500 errors on frontend/admin routes for options requests (627a211)
2.1.0 (2024-10-10)
Features
2.0.1 (2024-02-07)
Bug Fixes
Access-Control-Expose-Headersonly set on preflight (#84) (f2515c8)- wrong di.xml configuration - missing noNamespaceSchemaLocation and xmlns:xsi (#82) (104fd5d)
2.0.0 (2022-10-14)
Bug Fixes
2.0.0-rc.0 (2022-06-11)
⚠ BREAKING CHANGES
- If you were expecting to use the native GraphQl/REST controller when computing CORS headers (and everything else that entails - like having a Magento session, for example) that guarantee is no-longer provided.
Features
1.6.0 (2022-06-11)
Features
- add Magento v2.4.4 and PHP8.1 support (#70) (6e8bfe1)
- rest: extend REST request to allow OPTIONS without error (#55) (eb1df2d)
1.4.1 (2021-03-04)
Bug Fixes
1.4.0 (2021-03-02)
Features
- graphql, rest: add support for access-control-expose-headers (#49) (53aac87)
- graphql, rest: apply certain headers only to preflight requests (#51) (30bcff0)
- graphql,rest: add support for Vary header with Origin (#47) (e656909)
- validator: add a new method to determine whether or not a reque… (#50) (8c3ef8b)
1.3.2 (2020-08-10)
1.3.1 (2020-08-10)
1.3.0 (2020-05-18)
Bug Fixes
Build System
- all: added unit tests to CI (#18) (aade441)
- all: adding linting with phpcs (#16) (8753bd2)
- all: set up CI with Azure Pipelines (#15) (f30b51f)
- ci: run integration tests in ci (#21) (a79d7f7)
Features
Tests
- configuration: added/updated unit tests for config files (#19) (826b68e)
- integration: updated integration tests to pass (#23) (89736d7)
1.2.0 (2020-01-20)
Features
1.1.0 (2020-01-17)
Bug Fixes
Features
- rest: add CORS support for Magento 2 REST APIs (#11) (2342976)
- rest: allow rest api and graphql apis to be configurable separately (#12) (ff5813e)
1.0.0 (2019-07-23)
Bug Fixes
- configuration: remove backtick in di.xml (3a6549c)
Features
- cors: initial package with configuration and validation for CORS headers on the GraphQL api (493c6ad)
- release: add basic release process (b09b62b)
- security: enforce security by default, no headers out of the box (cb3291c)
1.0.0 (2019-07-23)
Bug Fixes
- configuration: remove backtick in di.xml (3a6549c)
Features
| Version | Stability | QA Status | Released |
|---|---|---|---|
| 2.1.3 | stable | Fail | 2026-05-18 13:16:07 |
| 2.1.2 | stable | Not tested | 2026-02-27 19:06:23 |
| 2.1.1 | stable | Not tested | 2025-04-15 20:36:03 |
| 2.1.0 | stable | Not tested | 2024-10-10 14:50:46 |
| 2.0.1 | stable | Not tested | 2024-02-07 22:05:09 |
| 2.0.0 | stable | Not tested | 2022-10-14 17:40:09 |
| 2.0.0-rc.0 | RC | Not tested | 2022-06-11 19:17:32 |
| 1.6.0 | stable | Not tested | 2022-06-11 17:48:42 |
| 1.5.0 | stable | Not tested | 2021-06-04 02:19:22 |
| 1.4.1 | stable | Not tested | 2021-03-04 20:10:18 |
| 1.4.0 | stable | Not tested | 2021-03-02 18:50:39 |
| 1.3.2 | stable | Not tested | 2020-08-10 13:55:11 |
| 1.3.1 | stable | Not tested | 2020-08-10 04:00:27 |
| 1.3.0 | stable | Not tested | 2020-05-18 00:31:18 |
| 1.2.0 | stable | Not tested | 2020-01-20 04:26:50 |
| 1.1.0 | stable | Not tested | 2020-01-17 16:42:35 |
| 1.0.0 | stable | Not tested | 2019-07-23 15:07:19 |
Requires 1
| Package | Constraint |
|---|---|
| magento/framework | ^102.0 || ^103.0 |
Requires-dev 4
| Package | Constraint |
|---|---|
| magento/magento-coding-standard | ^40 |
| magento/php-compatibility-fork | ^0.1.0 |
| phpunit/phpunit | ^12.0 |
| squizlabs/php_codesniffer | ^3.4 |
| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Pass | 0 | |
| PHPStan | Fail | 11 | 11 errors (level 4, ruleset: phpstan + bitexpert/phpstan-magento) |
| Cpd | Fail | 2 | 2 duplicated chunks spanning 88 total lines (min-lines=5, min-tokens=70) |
| Security | Pass | 0 |
Turn an existing module into recurring revenue.
If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.