CORS

Configure Cross-Origin Resource Sharing for your headless API.

Kirby Headless handles CORS preflight requests automatically, allowing your frontend application to fetch data from a different domain.

Configuration

Customize CORS headers in your config.php:

config.php

return [
    'headless' => [
        'cors' => [
            'allowOrigin' => '*',
            'allowMethods' => 'GET, POST, OPTIONS',
            'allowHeaders' => 'Accept, Content-Type, Authorization, X-Language, X-Cacheable',
            'maxAge' => '86400'
        ]
    ]
];

Options

`allowOrigin` String

Specifies which origins can access your API. Use * to allow all origins, or specify a specific domain.

Default: *

`allowMethods` String

HTTP methods allowed for cross-origin requests.

Default: GET, POST, OPTIONS

`allowHeaders` String

Headers that can be used in the actual request.

Default: Accept, Content-Type, Authorization, X-Language, X-Cacheable

`maxAge` String

How long (in seconds) the preflight response can be cached.

Default: 86400 (24 hours)

Authentication

Configure bearer token or basic authentication for your headless API.

Panel Configuration

Configure preview URLs and Panel redirects for headless setups.