CORS headers not being added to the response despite endpoint using cors class in behaviors inside apicontroller

I have an issue with the CORS header not being added to the response. I’m using the ‘cors’ from the package \yii\filters\Cors

Basically, I’m doing this :

class ApiController extends ActiveController


public function behaviors() {

return array_merge(parent::behaviors(), [

// For cross-domain AJAX request

‘corsFilter’ => [

‘class’ => \yii\filters\Cors::className(),

‘cors’ => [

// restrict access to domains:

‘Origin’ => [



‘Access-Control-Request-Method’ => [‘POST’, ‘HEAD’, ‘DELETE’, ‘PUT’, ‘GET’, ‘OPTIONS’],

‘Access-Control-Allow-Credentials’ => true,

‘Access-Control-Request-Headers’ => [’*’],

‘Access-Control-Allow-Origin’ => true,

‘Access-Control-Expose-Headers’ => [’*’],

‘Access-Control-Max-Age’ => 3600, // Cache (seconds)





And I still have the same result as without applying this method… No CORS headers are added to the Response of the OPTIONS query to my endpoint.

Anyone else having/had that issue ?

Hello and welcome!

Any output the debug toolbar shows?
Using wildcard origin with credentials could be problematic.
How do you inspect the response header? Firefox (>73) developer tools?
And if so, does your console show any CORS errors?