update after PR 711

README.md

@@ -80,7 +80,7 @@ These are all the configuration options and their default value between brackets
 - "cacheType": `TempFile`, `Redis`, `Memcache`, `Memcached` or `NoCache` (`TempFile`)
 - "cachePath": Path/address of the cache (defaults to system's temp directory)
 - "cacheTime": Number of seconds the cache is valid (`10`)
-- "debug": Show errors in the "X-Debug-Info" header (`false`)
+- "debug": Show errors in the "X-Exception" headers (`false`)
 - "basePath": URI base path of the API (determined using PATH_INFO by default)
 
 All configuration options are also available as environment variables. Write the config option with capitals, a "PHP_CRUD_API_" prefix and underscores for word breakes, so for instance:

src/Tqdev/PhpCrudApi/Middleware/CorsMiddleware.php

@@ -45,7 +45,10 @@ class CorsMiddleware extends Middleware
             $response = $this->responder->error(ErrorCode::ORIGIN_FORBIDDEN, $origin);
         } elseif ($method == 'OPTIONS') {
             $response = ResponseFactory::fromStatus(ResponseFactory::OK);
-            $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN, X-Authorization, X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File');
+            $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN, X-Authorization');
+            if ($this->debug) {
+                $allowHeaders = implode(', ', array_filter([$allowHeaders, 'X-Exception-Name, X-Exception-Message, X-Exception-File']));
+            }
             if ($allowHeaders) {
                 $response = $response->withHeader('Access-Control-Allow-Headers', $allowHeaders);
             }
@@ -61,7 +64,10 @@ class CorsMiddleware extends Middleware
             if ($maxAge) {
                 $response = $response->withHeader('Access-Control-Max-Age', $maxAge);
             }
-            $exposeHeaders = $this->getProperty('exposeHeaders', 'X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File');
+            $exposeHeaders = $this->getProperty('exposeHeaders', '');
+            if ($this->debug) {
+                $exposeHeaders = implode(', ', array_filter([$exposeHeaders, 'X-Exception-Name, X-Exception-Message, X-Exception-File']));
+            }
             if ($exposeHeaders) {
                 $response = $response->withHeader('Access-Control-Expose-Headers', $exposeHeaders);
             }

tests/functional/001_records/041_cors_pre_flight.log

@@ -5,9 +5,8 @@ Access-Control-Request-Method: POST
 Access-Control-Request-Headers: X-XSRF-TOKEN, X-Requested-With
 ===
 200
-Access-Control-Allow-Headers: Content-Type, X-XSRF-TOKEN, X-Authorization, X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File
+Access-Control-Allow-Headers: Content-Type, X-XSRF-TOKEN, X-Authorization
 Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST, DELETE, PATCH
 Access-Control-Max-Age: 1728000
-Access-Control-Expose-Headers: X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File
 Access-Control-Allow-Credentials: true
 Access-Control-Allow-Origin: http://example.com

tests/functional/002_auth/001_jwt_auth.log

@@ -38,8 +38,7 @@ Access-Control-Request-Method: POST
 Access-Control-Request-Headers: X-PINGOTHER, Content-Type
 ===
 200
-Access-Control-Allow-Headers: Content-Type, X-XSRF-TOKEN, X-Authorization, X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File
+Access-Control-Allow-Headers: Content-Type, X-XSRF-TOKEN, X-Authorization
 Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST, DELETE, PATCH
 Access-Control-Allow-Credentials: true
 Access-Control-Max-Age: 1728000
-Access-Control-Expose-Headers: X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File