Kirby Tools
Hub

CORS

Configure Cross-Origin Resource Sharing for your headless API.

Kirby Headless handles CORS preflight requests automatically, allowing your frontend application to fetch data from a different domain.

Configuration

Customize CORS headers in your config.php:

config.php
return [
    'headless' => [
        'cors' => [
            'allowOrigin' => '*',
            'allowMethods' => 'GET, POST, OPTIONS',
            'allowHeaders' => 'Accept, Content-Type, Authorization, X-Language, X-Cacheable',
            'maxAge' => '86400'
        ]
    ]
];

Options

allowOrigin String

Specifies which origins can access your API. Use * to allow all origins, or specify a specific domain.

Default: *

allowMethods String

HTTP methods allowed for cross-origin requests.

Default: GET, POST, OPTIONS

allowHeaders String

Headers that can be used in the actual request.

Default: Accept, Content-Type, Authorization, X-Language, X-Cacheable

maxAge String

How long (in seconds) the preflight response can be cached.

Default: 86400 (24 hours)

Authentication

Configure bearer token or basic authentication for your headless API.

Panel Configuration

Configure preview URLs and Panel redirects for headless setups.