server('HTTP_ORIGIN'); // Allow requests from mobile apps (no origin or capacitor/ionic) if (empty($origin) || in_array($origin, $allowedOrigins)) { $response = $next($request); $allowOrigin = empty($origin) ? '*' : $origin; return $response ->header('Access-Control-Allow-Origin', $allowOrigin) ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS') ->header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With, X-XSRF-TOKEN'); } return $next($request); } }