Laravel 8 CORS issue getting 403 OPTIONS

  cors, laravel, php

I deployed my laravel application on CPanel using Sanctum for SPA.
The frontend is using Vue. The application is running on and the backend is

The application runs just fine on localhost. But when I moved to CPanel I keep getting the 403 for OPTIONS


Route::post('/login', [AuthController::class, 'auth']);
Route::group(['middleware' => ['auth:sanctum']], function() {
    Route::get('/comercial/page/{pageSize}', [ComercialController::class, 'all'])->middleware(['can:isTodos']);
    Route::get('/residencial/page/{pageSize}', '[email protected]')->middleware(['can:isAdmin']);


'paths' => ['api/*', 'sanctum/csrf-cookie'],

    'allowed_methods' => ['OPTIONS', 'GET', 'POST'],

    'allowed_origins' => [''],

    'allowed_origins_patterns' => [],
    //'x-requested-with', 'client-security-token', 
    'allowed_headers' => [ 'Content-Type', 'Origin', 'Authorization', 'Accept', 'Set-Cookie', 'XSRF-TOKEN'],

    'exposed_headers' => [],

    'max_age' => 1000,

    'supports_credentials' => true,


RewriteOptions inherit
<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes

    #Manter essas linhas
    Header always set Access-Control-Allow-Origin ""
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Max-Age "1000"
    #client-security-token,, x-requested-with,
    Header always set Access-Control-Allow-Headers "Content-Type, Origin, Authorization, Accept,  Set-Cookie, XSRF-TOKEN"
    Header always set Access-Control-Allow-Credentials "true" 
    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTPS:Authorization} .
    RewriteRule .* - [E=HTTPS_AUTHORIZATION:%{HTTPS:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Send Requests To Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]


Main issue

Request URL:
Request Method: OPTIONS
Status Code: 403 Forbidden
Remote Address:
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type, x-requested-with, Content-Type, origin, authorization, accept, client-security-token, Set-Cookie, XSRF-TOKEN, Access-Control-Allow-Origin
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
Access-Control-Max-Age: 1000
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Fri, 10 Sep 2021 01:11:15 GMT
Keep-Alive: timeout=5, max=100
Server: Apache
Transfer-Encoding: chunked
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type,x-xsrf-token
Access-Control-Request-Method: POST
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36

Access to XMLHttpRequest at '' from origin '' 
has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status. 

Kindly is there anyone that could assist me on this issue?

Source: Laravel

Leave a Reply