lthn.io/config/cors.php

<?php

return [

    /*
    |--------------------------------------------------------------------------
    | Cross-Origin Resource Sharing (CORS) Configuration
    |--------------------------------------------------------------------------
    |
    | Configure CORS settings for the Host Hub API. Only trusted Host UK
    | domains and local development origins are allowed by default.
    |
    | Security notes:
    | - supports_credentials=false prevents cross-origin cookie sending
    | - Authenticated endpoints are protected by session + CSRF regardless
    | - Public APIs (analytics, widgets) work via simple requests or no-cors
    | - Use CORS_ALLOWED_ORIGINS env var to add specific external domains
    |
    */

    'paths' => ['api/*', 'v1/*', 'sanctum/csrf-cookie'],

    'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],

    'allowed_origins' => env('CORS_ALLOWED_ORIGINS')
        ? explode(',', env('CORS_ALLOWED_ORIGINS'))
        : ['*'],

    'allowed_origins_patterns' => [
        // Lethean domains
        '#^https://([a-z0-9-]+\.)?lthn\.(io|ai|sh)$#',

        // Local development
        '#^https?://localhost(:\d+)?$#',
        '#^https?://127\.0\.0\.1(:\d+)?$#',
    ],

    'allowed_headers' => [
        'Content-Type',
        'X-Requested-With',
        'Authorization',
        'Accept',
        'Origin',
        'X-CSRF-TOKEN',
        'X-XSRF-TOKEN',
    ],

    'exposed_headers' => [
        'X-RateLimit-Limit',
        'X-RateLimit-Remaining',
        'X-RateLimit-Reset',
        'Retry-After',
    ],

    // Cache preflight responses for 1 hour
    'max_age' => 3600,

    // CRITICAL: Keep false to prevent cross-origin credential sending
    'supports_credentials' => false,

];