graycore / magento2-cors

graycore/magento2-cors

A Magento 2 module that enables CORS on the GraphQL and REST Apis

  • Damien Retzinger
magento2-module Compatibility: 2.4.7-2.4.9 Code Quality: Fail Tests: Pass Security: Pass MIT

Are you the maintainer of graycore?

Packagento pulls graycore's Composer packages from the public registry so buyers can find them here.

Claim the namespace to take ownership, publish new releases directly, and start charging for premium versions.

Claim this namespace →

Magento 2 CORS

Packagist Downloads
Packagist Version
Packagist License
MageCheck Status
MageCheck Supported Version

Magento Version Support

Magento v2.3 Supported
Magento v2.4 Supported

Ever try to work with the Magento GraphQL API or REST API from your browser and see the following?

Access to XMLHttpRequest at 'https://my.magento.app' from origin 'http://my.webapp.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This package allows you to securely add the necessary CORS headers to the Magento 2 GraphQL or REST APIs with ease.

Purpose

When building a headless application for Magento, or working with a client that respects the CORS protocol, you will need CORS headers on your backend resource.

This package will add configurable CORS Resource headers to the Magento 2 GraphQL or REST APIs, allowing you to access the GraphQL or REST APIs from your browser.

Getting Started

This module is intended to be installed with composer. From the root of your Magento 2 project:

  1. Download the package
composer require graycore/magento2-cors
  1. Configure the package
  2. Enable the package
./bin/magento module:enable Graycore_Cors

Features

Helpful Links

Upgrading

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.1.3 (2026-05-18)

Miscellaneous Chores

  • deps: bump googleapis/release-please-action from 4 to 5 (#96) (f402f78)
  • deps: bump graycoreio/github-actions-magento2 (#98) (ec4e3c3)
  • deps: bump graycoreio/github-actions-magento2 from 7.0.0 to 8.2.0 (#102) (0b872fa)
  • deps: bump graycoreio/github-actions-magento2/.github/workflows/check-extension.yaml (#99) (77f4313)

2.1.2 (2026-02-27)

Miscellaneous Chores

  • remove extraneous nodejs deps (0515bee)

2.1.1 (2025-04-15)

Bug Fixes

  • prevent 500 errors on frontend/admin routes for options requests (627a211)

2.1.0 (2024-10-10)

Features

  • docs: augment docs for configuring Commerce Cloud (#87) (d9f7f69)

2.0.1 (2024-02-07)

Bug Fixes

  • Access-Control-Expose-Headers only set on preflight (#84) (f2515c8)
  • wrong di.xml configuration - missing noNamespaceSchemaLocation and xmlns:xsi (#82) (104fd5d)

2.0.0 (2022-10-14)

Bug Fixes

  • add compatability between Laminas\Http and Zend\Http (#75) (b1d4af1)

2.0.0-rc.0 (2022-06-11)

⚠ BREAKING CHANGES

  • If you were expecting to use the native GraphQl/REST controller when computing CORS headers (and everything else that entails - like having a Magento session, for example) that guarantee is no-longer provided.

Features

  • graphql,rest: add faster CORS headers (#66) (cefd663)

  • denote breaking changes (b98b9bc)

1.6.0 (2022-06-11)

Features

  • add Magento v2.4.4 and PHP8.1 support (#70) (6e8bfe1)
  • rest: extend REST request to allow OPTIONS without error (#55) (eb1df2d)

1.4.1 (2021-03-04)

Bug Fixes

  • graphql, rest: allow caching of options requests (#53) (f6b9b3f)

1.4.0 (2021-03-02)

Features

  • graphql, rest: add support for access-control-expose-headers (#49) (53aac87)
  • graphql, rest: apply certain headers only to preflight requests (#51) (30bcff0)
  • graphql,rest: add support for Vary header with Origin (#47) (e656909)
  • validator: add a new method to determine whether or not a reque… (#50) (8c3ef8b)

1.3.2 (2020-08-10)

1.3.1 (2020-08-10)

1.3.0 (2020-05-18)

Bug Fixes

  • graphql: prevent fatal error when using Chrome extensions for graphql querying (#24) (486fe10)

Build System

Features

  • cors: add header provider for Allow-Credentials (#27) (38bf597)

Tests

  • configuration: added/updated unit tests for config files (#19) (826b68e)
  • integration: updated integration tests to pass (#23) (89736d7)

1.2.0 (2020-01-20)

Features

  • rest: fixup rest api to handle options requests (#13) (3520b9d)

1.1.0 (2020-01-17)

Bug Fixes

Features

  • rest: add CORS support for Magento 2 REST APIs (#11) (2342976)
  • rest: allow rest api and graphql apis to be configurable separately (#12) (ff5813e)

1.0.0 (2019-07-23)

Bug Fixes

  • configuration: remove backtick in di.xml (3a6549c)

Features

  • cors: initial package with configuration and validation for CORS headers on the GraphQL api (493c6ad)
  • release: add basic release process (b09b62b)
  • security: enforce security by default, no headers out of the box (cb3291c)

1.0.0 (2019-07-23)

Bug Fixes

  • configuration: remove backtick in di.xml (3a6549c)

Features

  • cors: initial package with configuration and validation for CORS headers on the GraphQL api (493c6ad)
  • release: add basic release process (b09b62b)
  • security: enforce security by default, no headers out of the box (cb3291c)
Versions
Version Stability QA Status Compatibility Released
2.1.3 stable Fail Magento 2.4.7-2.4.9 Details 2026-05-18 13:16:07
2.1.2 stable Not tested Not yet tested Details 2026-02-27 19:06:23
2.1.1 stable Not tested Not yet tested Details 2025-04-15 20:36:03
2.1.0 stable Not tested Not yet tested Details 2024-10-10 14:50:46
2.0.1 stable Not tested Not yet tested Details 2024-02-07 22:05:09
2.0.0 stable Not tested Not yet tested Details 2022-10-14 17:40:09
2.0.0-rc.0 RC Not tested Not yet tested Details 2022-06-11 19:17:32
1.6.0 stable Not tested Not yet tested Details 2022-06-11 17:48:42
1.5.0 stable Not tested Not yet tested Details 2021-06-04 02:19:22
1.4.1 stable Not tested Not yet tested Details 2021-03-04 20:10:18
1.4.0 stable Not tested Not yet tested Details 2021-03-02 18:50:39
1.3.2 stable Not tested Not yet tested Details 2020-08-10 13:55:11
1.3.1 stable Not tested Not yet tested Details 2020-08-10 04:00:27
1.3.0 stable Not tested Not yet tested Details 2020-05-18 00:31:18
1.2.0 stable Not tested Not yet tested Details 2020-01-20 04:26:50
1.1.0 stable Not tested Not yet tested Details 2020-01-17 16:42:35
1.0.0 stable Not tested Not yet tested Details 2019-07-23 15:07:19

Requires 1

Package Constraint
magento/framework ^102.0 || ^103.0

Requires-dev 4

Package Constraint
magento/magento-coding-standard ^40
magento/php-compatibility-fork ^0.1.0
phpunit/phpunit ^12.0
squizlabs/php_codesniffer ^3.4

Compatibility

Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.

Compatibility matrix (Magento × PHP)
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 Pass Pass
2.4.8 Pass Pass
2.4.9 Pass Pass

Code Quality

Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge. A phpcs finding can't make a module incompatible.

Static analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

Static analysis results
Tool Status Findings Summary
PHPCS Pass 0
PHPMD Warning 5 5 rule violations (UnusedFormalParameter:4, MissingImport:1)
Cpd Warning 2 2 duplicated chunks spanning 88 total lines (min-lines=5, min-tokens=70)
Composer validate Pass 0

PHPStan

Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases.

PHPStan results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 11 11
2.4.8 11 11
2.4.9 11 11

Tests

Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.

Unit tests

Unit tests results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 N/A N/A
2.4.8 N/A N/A
2.4.9 N/A N/A

Integration tests

Integration tests results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 Pass Pass
2.4.8 Pass Pass
2.4.9 Pass Pass

Security

Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.

Security results
Tool Status Findings Summary
Composer audit Pass 0
Malware scan Pass 0
License
MIT
Authors

More from graycore

View vendor
Make it pay

Turn an existing module into recurring revenue.

If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.