[stack middleware]: http://stackphp.com/
+### Options
+
+| Option | Description | Default value |
+|------------------------|------------------------------------------------------------|---------------|
+| allowedMethods | Matches the request method. | `array()` |
+| allowedOrigins | Matches the request origin. | `array()` |
+| allowedOriginsPatterns | Matches the request origin with `preg_match`. | `array()` |
+| allowedHeaders | Sets the Access-Control-Allow-Headers response header. | `array()` |
+| exposedHeaders | Sets the Access-Control-Expose-Headers response header. | `false` |
+| maxAge | Sets the Access-Control-Max-Age response header. | `false` |
+| supportsCredentials | Sets the Access-Control-Allow-Credentials header. | `false` |
+
+The _allowedMethods_ and _allowedHeaders_ options are case-insensitive.
+
+You don't need to provide both _allowedOrigins_ and _allowedOriginsPatterns_. If one of the strings passed matches, it is considered a valid origin.
+
+If `array('*')` is provided to _allowedMethods_, _allowedOrigins_ or _allowedHeaders_ all methods / origins / headers are allowed.
+
### Example: using the library
```php
use Asm89\Stack\CorsService;
$cors = new CorsService(array(
- 'allowedHeaders' => array('x-allowed-header', 'x-other-allowed-header'),
- 'allowedMethods' => array('DELETE', 'GET', 'POST', 'PUT'),
- 'allowedOrigins' => array('localhost'),
- 'exposedHeaders' => false,
- 'maxAge' => false,
- 'supportsCredentials' => false,
+ 'allowedHeaders' => array('x-allowed-header', 'x-other-allowed-header'),
+ 'allowedMethods' => array('DELETE', 'GET', 'POST', 'PUT'),
+ 'allowedOrigins' => array('localhost'),
+ 'allowedOriginsPatterns' => array('/localhost:\d/'),
+ 'exposedHeaders' => false,
+ 'maxAge' => false,
+ 'supportsCredentials' => false,
));
$cors->addActualRequestHeaders(Response $response, $origin);
'allowedMethods' => array('DELETE', 'GET', 'POST', 'PUT'),
// you can use array('*') to allow requests from any origin
'allowedOrigins' => array('localhost'),
+ // you can enter regexes that are matched to the origin request header
+ 'allowedOriginsPatterns' => array('/localhost:\d/'),
'exposedHeaders' => false,
'maxAge' => false,
'supportsCredentials' => false,