# graycore/magento2-cors

> A Magento 2 module that enables CORS on the GraphQL and REST Apis

`composer require graycore/magento2-cors`

Canonical URL: https://packagento.com/graycore/magento2-cors

## At a glance

- **Vendor**: graycore (https://packagento.com/graycore.md)
- **Latest version**: 2.1.3 — released 2026-05-18
- **Pricing**: Free
- **Package type**: Magento 2 module
- **Status**: active, accepting new buyers

## Installation

Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them.

1. **Sign in or create an account** at https://packagento.com/customer/account/.

2. **Add the package to your account.** Open https://packagento.com/graycore/magento2-cors and complete the free checkout. A licence is minted automatically.

3. **Create or pick a project, then activate the licence on it.**
   - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/.
   - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project.

4. **Add the project credentials to your Magento codebase.**

   Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`:

   ```json
   {
     "http-basic": {
       "packagento.com": {
         "username": "ppk_live_...",
         "password": "psk_live_..."
       }
     }
   }
   ```

   Add the Packagento Composer repository to `composer.json`:

   ```json
   {
     "repositories": [
       { "type": "composer", "url": "https://packagento.com" }
     ]
   }
   ```

5. **Install and apply.**

   ```bash
   composer require graycore/magento2-cors:*
   bin/magento setup:upgrade
   bin/magento setup:di:compile
   bin/magento cache:flush
   ```

## What it does

A Magento 2 module that enables CORS on the GraphQL and REST Apis

## README

<div align="center">

[![Packagist Downloads](https://img.shields.io/packagist/dm/graycore/magento2-cors?color=blue)](https://packagist.org/packages/graycore/magento2-cors/stats)
[![Packagist Version](https://img.shields.io/packagist/v/graycore/magento2-cors?color=blue)](https://packagist.org/packages/graycore/magento2-cors)
[![Packagist License](https://img.shields.io/packagist/l/graycore/magento2-cors)](https://github.com/graycoreio/magento2-cors/blob/master/LICENSE)
[![MageCheck Status](https://img.shields.io/github/actions/workflow/status/graycoreio/magento2-cors/check-extension.yaml?&label=MageCheck&labelColor=1a1a1a)](https://github.com/graycoreio/magento2-cors/actions/workflows/check-extension.yaml)
![MageCheck Supported Version](https://img.shields.io/badge/currently_supported-any?label=MageCheck%20Supported&labelColor=1a1a1a&color=090c9b)


</div>


### Magento Version Support
![Magento v2.3 Supported](https://img.shields.io/badge/Magento-2.3-brightgreen.svg?labelColor=2f2b2f&logo=magento&logoColor=f26724&color=464246&longCache=true&style=flat)
![Magento v2.4 Supported](https://img.shields.io/badge/Magento-2.4-brightgreen.svg?labelColor=2f2b2f&logo=magento&logoColor=f26724&color=464246&longCache=true&style=flat)

Ever try to work with the Magento GraphQL API or REST API from your browser and see the following?

```txt
Access to XMLHttpRequest at 'https://my.magento.app' from origin 'http://my.webapp.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
```

This package allows you to securely add the necessary CORS headers to the Magento 2 GraphQL or REST APIs with ease.

### Purpose
When building a headless application for Magento, or working with a client that respects the CORS protocol, you will need [CORS headers](https://fetch.spec.whatwg.org/#http-cors-protocol) on your backend resource.

This package will add configurable CORS Resource headers to the Magento 2 GraphQL or REST APIs, allowing you to access the GraphQL or REST APIs from your browser.

### Getting Started
This module is intended to be installed with [composer](https://getcomposer.org/). From the root of your Magento 2 project:

1. Download the package
```bash
composer require graycore/magento2-cors
```
2. [Configure the package](/docs/stories/configuring-the-headers.md)
3. Enable the package

```bash
./bin/magento module:enable Graycore_Cors
```

### Features
* [Configurable](./docs/stories/configuring-the-headers.md)
* [Respects the full CORS Protocol](https://fetch.spec.whatwg.org/#http-cors-protocol)
    * `Access-Control-Allow-Origin`
    * `Access-Control-Allow-Methods`
    * `Access-Control-Allow-Headers`
    * `Access-Control-Max-Age`
    * `Access-Control-Expose-Headers`
    * `Access-Control-Allow-Credentials`

* [Security By Default](./docs/stories/security.md#security-by-default)
* [Vary: Origin](https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches)
### Helpful Links
* [FAQ](./docs/faq/faqs.md)
    * [Can I configure this from the admin panel?](./docs/faq/faqs.md#can-i-configure-this-from-the-admin-panel)

### Upgrading
* [Semver Policy](https://semver.org/)
* [Guide](./docs/upgrading/guide.md)

## Changelog

All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

### [2.1.3](https://github.com/graycoreio/magento2-cors/compare/v2.1.2...v2.1.3) (2026-05-18)


#### Miscellaneous Chores

* **deps:** bump googleapis/release-please-action from 4 to 5 ([#96](https://github.com/graycoreio/magento2-cors/issues/96)) ([f402f78](https://github.com/graycoreio/magento2-cors/commit/f402f78c641e1f1cc97ed3e53da98986c8ddb5d2))
* **deps:** bump graycoreio/github-actions-magento2 ([#98](https://github.com/graycoreio/magento2-cors/issues/98)) ([ec4e3c3](https://github.com/graycoreio/magento2-cors/commit/ec4e3c3d7e62303a7ac16620b6ce0ca540677a2a))
* **deps:** bump graycoreio/github-actions-magento2 from 7.0.0 to 8.2.0 ([#102](https://github.com/graycoreio/magento2-cors/issues/102)) ([0b872fa](https://github.com/graycoreio/magento2-cors/commit/0b872fa1112d8b6d505618a2fb230286b920c8c3))
* **deps:** bump graycoreio/github-actions-magento2/.github/workflows/check-extension.yaml ([#99](https://github.com/graycoreio/magento2-cors/issues/99)) ([77f4313](https://github.com/graycoreio/magento2-cors/commit/77f4313b8537d84ce741801cdd1f4df6742fe1c0))

### [2.1.2](https://github.com/graycoreio/magento2-cors/compare/v2.1.1...v2.1.2) (2026-02-27)


#### Miscellaneous Chores

* remove extraneous nodejs deps ([0515bee](https://github.com/graycoreio/magento2-cors/commit/0515bee749818c13c3cce001448ddb0b443baf1a))

### [2.1.1](https://github.com/graycoreio/magento2-cors/compare/v2.1.0...v2.1.1) (2025-04-15)


#### Bug Fixes

* prevent 500 errors on frontend/admin routes for options requests ([627a211](https://github.com/graycoreio/magento2-cors/commit/627a21190d3636ae32303da738e87182c1536bf6))

### [2.1.0](https://github.com/graycoreio/magento2-cors/compare/v2.0.1...v2.1.0) (2024-10-10)


#### Features

* **docs:** augment docs for configuring Commerce Cloud ([#87](https://github.com/graycoreio/magento2-cors/issues/87)) ([d9f7f69](https://github.com/graycoreio/magento2-cors/commit/d9f7f69b301ba9bcbfb03bca8d27254a6eb98601))

### [2.0.1](https://github.com/graycoreio/magento2-cors/compare/v2.0.0...v2.0.1) (2024-02-07)


#### Bug Fixes

* `Access-Control-Expose-Headers` only set on preflight ([#84](https://github.com/graycoreio/magento2-cors/issues/84)) ([f2515c8](https://github.com/graycoreio/magento2-cors/commit/f2515c831641eeb9cc3dbefc082a14706158581b))
* wrong di.xml configuration - missing noNamespaceSchemaLocation and xmlns:xsi ([#82](https://github.com/graycoreio/magento2-cors/issues/82)) ([104fd5d](https://github.com/graycoreio/magento2-cors/commit/104fd5dcb3a1c00e83a06973719d4aa4683cdcc6))

### [2.0.0](https://github.com/graycoreio/magento2-cors/compare/v2.0.0-rc.0...v2.0.0) (2022-10-14)


#### Bug Fixes

* add compatability between Laminas\Http and Zend\Http ([#75](https://github.com/graycoreio/magento2-cors/issues/75)) ([b1d4af1](https://github.com/graycoreio/magento2-cors/commit/b1d4af124b1a1a0f3ad19009a0eba5d9d973309f))

### [2.0.0-rc.0](https://github.com/graycoreio/magento2-cors/compare/v1.6.0...v2.0.0-rc.0) (2022-06-11)


#### ⚠ BREAKING CHANGES

* If you were expecting to use the native GraphQl/REST controller when computing CORS headers (and everything else that entails - like having a Magento session, for example) that guarantee is no-longer provided.

#### Features

* **graphql,rest:** add faster CORS headers ([#66](https://github.com/graycoreio/magento2-cors/issues/66)) ([cefd663](https://github.com/graycoreio/magento2-cors/commit/cefd6631d4f2aaf5347875a02d773317480783d5))


* denote breaking changes ([b98b9bc](https://github.com/graycoreio/magento2-cors/commit/b98b9bcfcefa533f84e85921a9becb5be2a9ff71))

### [1.6.0](https://github.com/graycoreio/magento2-cors/compare/v1.4.1...v1.6.0) (2022-06-11)


#### Features

_(Changelog truncated for .md surface. Full history on https://packagento.com/graycore/magento2-cors.)_

## Recent Versions

| Version | Released |
|---|---|
| 2.1.3 | 2026-05-18 |
| 2.1.2 | 2026-02-27 |
| 2.1.1 | 2025-04-15 |
| 2.1.0 | 2024-10-10 |
| 2.0.1 | 2024-02-07 |
| 2.0.0 | 2022-10-14 |
| 2.0.0-rc.0 | 2022-06-11 |
| 1.6.0 | 2022-06-11 |
| 1.5.0 | 2021-06-04 |
| 1.4.1 | 2021-03-04 |

Showing 10 of 17 versions. Full release history on https://packagento.com/graycore/magento2-cors.

## Dependencies

### Require

| Package | Constraint |
|---|---|
| magento/framework | ^102.0 \|\| ^103.0 |

### Require (dev)

| Package | Constraint |
|---|---|
| magento/magento-coding-standard | ^40 |
| magento/php-compatibility-fork | ^0.1.0 |
| phpunit/phpunit | ^12.0 |
| squizlabs/php_codesniffer | ^3.4 |

## Quality

Latest release (2.1.3) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers.


### Compatibility

Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Code Quality

Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible.

#### Static Analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Pass | 0 |  |
| PHPMD | Warning | 5 | 5 rule violations (UnusedFormalParameter:4, MissingImport:1) |
| Cpd | Warning | 2 | 2 duplicated chunks spanning 88 total lines (min-lines=5, min-tokens=70) |
| Composer validate | Pass | 0 |  |

#### PHPStan

Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | 11 | 11 | – | – |
| 2.4.8 | – | 11 | 11 | – |
| 2.4.9 | – | – | 11 | 11 |


### Tests

Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately.

#### Unit Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |

#### Integration Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Security

Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| Composer audit | Pass | 0 |  |
| Malware scan | Pass | 0 |  |

## Licence and pricing

Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step.

Refundable within 14 days of first purchase via https://packagento.com/account/refunds/.

## Install via Claude Code or any MCP client

The Packagento MCP server can run the licence + project + Composer steps above in one tool call:

```
purchase_and_install_packages(
  composer_names=["graycore/magento2-cors"],
  project_id="proj_xxx"
)
```

This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup.

## Vendor

graycore is a Magento 2 vendor on Packagento. See https://packagento.com/graycore.md for their full catalogue.

