parameters:
    env(CORS_ALLOW_ORIGIN): 'localhost'

nelmio_cors:
    defaults:
        # for security reasons we do not allow CORS by default
        allow_origin: []
        allow_headers: []
        allow_methods: []
        expose_headers: []
        max_age: 0
        hosts: []
        origin_regex: true
        forced_allow_origin_value: ~
    paths:
        # only the API endpoints are accessible
        '^/api/':
            # allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
            allow_origin: ['*']
            allow_headers: ['Content-Type', 'Authorization', 'X-AUTH-USER', 'X-AUTH-TOKEN']
            allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
            # expose_headers: ['Link']
            max_age: 3600

when@dev:
    nelmio_cors:
        paths:
            '^/api/':
                allow_private_network: true