headers->get('Origin'); $allowedOrigin = env('FRONTEND_URL', 'http://localhost:5173'); // Only set CORS headers if the origin matches our frontend if ($origin === $allowedOrigin) { $response->headers->set('Access-Control-Allow-Origin', $origin); $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS'); $response->headers->set('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With, Accept, X-XSRF-TOKEN'); $response->headers->set('Access-Control-Allow-Credentials', 'true'); } // Handle preflight OPTIONS requests if ($request->getMethod() === 'OPTIONS') { $response->setStatusCode(200); } return $response; } }