tests

src/Http/Middleware/CorsMiddleware.php

@@ -40,7 +40,7 @@ class CorsMiddleware implements MiddlewareInterface
 
         $allowOrigin = in_array($origin, $allowedOrigins, true)
             ? $origin
-            : 'null';
+            : null;
 
         if ($request->getMethod() === 'OPTIONS') {
             $response = new Response(204);
@@ -48,6 +48,10 @@ class CorsMiddleware implements MiddlewareInterface
             $response = $handler->handle($request);
         }
 
+        if ($allowOrigin === null) {
+            return $response; // Do not add CORS headers if origin is not allowed.
+        }
+
         $response = $response
             ->withHeader('Access-Control-Allow-Origin', $allowOrigin)
             ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS')
@@ -61,8 +65,9 @@ class CorsMiddleware implements MiddlewareInterface
             $response = $response->withHeader('Access-Control-Allow-Credentials', 'true');
         }
 
-        $maxAge = Config::get('CORS_MAX_AGE') !== 3600 ? Config::get('CORS_MAX_AGE') : 3600;
+        $maxAge = Config::get('cors.max_age') ?: '86400'; // Use correct configuration key.
 
         return $response->withHeader('Access-Control-Max-Age', $maxAge);
     }
 }
+