apiaframework · jimehk · Oct 22, 2025 · Oct 21, 2025
diff --git a/lib/apia/cors.rb b/lib/apia/cors.rb
@@ -17,18 +17,18 @@ def to_headers
       return {} if @origin.nil?
 
       headers = {}
-      headers['Access-Control-Allow-Origin'] = @origin
+      headers['access-control-allow-origin'] = @origin
 
       if @methods.is_a?(String)
-        headers['Access-Control-Allow-Methods'] = @methods
+        headers['access-control-allow-methods'] = @methods
       elsif @methods.is_a?(Array) && @methods.any?
-        headers['Access-Control-Allow-Methods'] = @methods.map(&:upcase).join(', ')
+        headers['access-control-allow-methods'] = @methods.map(&:upcase).join(', ')
       end
 
       if @headers.is_a?(String)
-        headers['Access-Control-Allow-Headers'] = @headers
+        headers['access-control-allow-headers'] = @headers
       elsif @headers.is_a?(Array) && @headers.any?
-        headers['Access-Control-Allow-Headers'] = @headers.join(', ')
+        headers['access-control-allow-headers'] = @headers.join(', ')
       end
 
       headers

diff --git a/spec/specs/apia/cors_spec.rb b/spec/specs/apia/cors_spec.rb
@@ -9,8 +9,8 @@
 
     context 'with the details' do
       it 'returns a wildcard origin and methods' do
-        expect(cors.to_headers).to eq({ 'Access-Control-Allow-Origin' => '*',
-                                        'Access-Control-Allow-Methods' => '*' })
+        expect(cors.to_headers).to eq({ 'access-control-allow-origin' => '*',
+                                        'access-control-allow-methods' => '*' })
       end
     end
 
@@ -26,50 +26,50 @@
         cors.origin = 'example.com'
       end
 
-      it 'includes the Access-Control-Allow-Origin header' do
+      it 'includes the "access-control-allow-origin" header' do
         expect(cors.to_headers).to eq({
-          'Access-Control-Allow-Origin' => 'example.com',
-          'Access-Control-Allow-Methods' => '*'
+          'access-control-allow-origin' => 'example.com',
+          'access-control-allow-methods' => '*'
         })
       end
 
       context 'when methods have been provided' do
-        it 'includes the Access-Control-Allow-Methods header' do
+        it 'includes the "access-control-allow-methods" header' do
           cors.methods = %w[GET POST]
           expect(cors.to_headers).to eq({
-            'Access-Control-Allow-Origin' => 'example.com',
-            'Access-Control-Allow-Methods' => 'GET, POST'
+            'access-control-allow-origin' => 'example.com',
+            'access-control-allow-methods' => 'GET, POST'
           })
         end
 
         it 'upcases any methods provided' do
           cors.methods = %w[get post]
           expect(cors.to_headers).to eq({
-            'Access-Control-Allow-Origin' => 'example.com',
-            'Access-Control-Allow-Methods' => 'GET, POST'
+            'access-control-allow-origin' => 'example.com',
+            'access-control-allow-methods' => 'GET, POST'
           })
         end
       end
 
       context 'when headers have been provided' do
-        it 'includes the Access-Control-Allow-Headers header' do
+        it 'includes the "access-control-allow-headers" header' do
           cors.headers = %w[X-Custom Content-Type]
           expect(cors.to_headers).to eq({
-            'Access-Control-Allow-Origin' => 'example.com',
-            'Access-Control-Allow-Methods' => '*',
-            'Access-Control-Allow-Headers' => 'X-Custom, Content-Type'
+            'access-control-allow-origin' => 'example.com',
+            'access-control-allow-methods' => '*',
+            'access-control-allow-headers' => 'X-Custom, Content-Type'
           })
         end
       end
 
       context 'when methods and headers have been provided' do
-        it 'includes the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers' do
+        it 'includes the "access-control-allow-methods" and "access-control-allow-headers" headers' do
           cors.methods = %w[GET POST]
           cors.headers = %w[X-Custom Content-Type]
           expect(cors.to_headers).to eq({
-            'Access-Control-Allow-Origin' => 'example.com',
-            'Access-Control-Allow-Methods' => 'GET, POST',
-            'Access-Control-Allow-Headers' => 'X-Custom, Content-Type'
+            'access-control-allow-origin' => 'example.com',
+            'access-control-allow-methods' => 'GET, POST',
+            'access-control-allow-headers' => 'X-Custom, Content-Type'
           })
         end
       end

diff --git a/spec/specs/apia/endpoint_spec.rb b/spec/specs/apia/endpoint_spec.rb
@@ -147,8 +147,8 @@
             request = Apia::Request.new(Rack::MockRequest.env_for('/', input: ''))
             endpoint = Apia::Endpoint.create('Endpoint')
             response = endpoint.execute(request)
-            expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
-            expect(response.headers['Access-Control-Allow-Methods']).to eq '*'
+            expect(response.headers['access-control-allow-origin']).to eq '*'
+            expect(response.headers['access-control-allow-methods']).to eq '*'
           end
         end
 
@@ -168,9 +168,9 @@
             end
 
             response = endpoint.execute(request)
-            expect(response.headers['Access-Control-Allow-Origin']).to eq 'example.com'
-            expect(response.headers['Access-Control-Allow-Methods']).to eq 'GET, POST'
-            expect(response.headers['Access-Control-Allow-Headers']).to eq 'X-Custom'
+            expect(response.headers['access-control-allow-origin']).to eq 'example.com'
+            expect(response.headers['access-control-allow-methods']).to eq 'GET, POST'
+            expect(response.headers['access-control-allow-headers']).to eq 'X-Custom'
           end
         end
 
@@ -200,9 +200,9 @@
             response = endpoint.execute(request)
 
             expect(response.status).to eq 500
-            expect(response.headers['Access-Control-Allow-Origin']).to eq 'example.com'
-            expect(response.headers['Access-Control-Allow-Methods']).to eq 'GET, POST'
-            expect(response.headers['Access-Control-Allow-Headers']).to eq 'X-Custom'
+            expect(response.headers['access-control-allow-origin']).to eq 'example.com'
+            expect(response.headers['access-control-allow-methods']).to eq 'GET, POST'
+            expect(response.headers['access-control-allow-headers']).to eq 'X-Custom'
           end
         end
       end
@@ -212,8 +212,8 @@
           request = Apia::Request.new(Rack::MockRequest.env_for('/', input: '', method: 'OPTIONS'))
           endpoint = Apia::Endpoint.create('Endpoint')
           response = endpoint.execute(request)
-          expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
-          expect(response.headers['Access-Control-Allow-Methods']).to eq '*'
+          expect(response.headers['access-control-allow-origin']).to eq '*'
+          expect(response.headers['access-control-allow-methods']).to eq '*'
           expect(response.status).to eq 200
           expect(response.body).to eq ''
         end

diff --git a/spec/specs/apia/rack_spec.rb b/spec/specs/apia/rack_spec.rb
@@ -190,9 +190,9 @@ def call(_env)
       expect(result[0]).to eq 200
 
       headers = result[1]
-      expect(headers['Access-Control-Allow-Methods']).to eq 'GET, OPTIONS'
-      expect(headers['Access-Control-Allow-Headers']).to eq 'Authorization, Content-Type'
-      expect(headers['Access-Control-Allow-Origin']).to eq 'example.com'
+      expect(headers['access-control-allow-methods']).to eq 'GET, OPTIONS'
+      expect(headers['access-control-allow-headers']).to eq 'Authorization, Content-Type'
+      expect(headers['access-control-allow-origin']).to eq 'example.com'
       expect(headers['x-executed'].nil?).to be true
 
       # assert body is empty (does not contain the response from the test endpoint)