
Security News
New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025
CVEForecast.org uses machine learning to project a record-breaking surge in vulnerability disclosures in 2025.
A simply scoped abstraction to provide CORS settings via environment variables to a Fastapi application.
from fastapi import FastAPI
# during this next line `fastapi_cors.env` will read environment variables from .env
from fastapi_cors import CORS
app = FastAPI()
CORS(app)
A health check route is optionally added that displays these (but not other) environment variables.
If you want to disable it, use the code below
from fastapi import FastAPI
# during this next line `fastapi_cors.env` will read environment variables from .env
from fastapi_cors import CORS
app = FastAPI()
CORS(app, include_health_check=False)
Configure FastAPI as usual. Extra arguments (that can be accessed from app.extra
):
Name | Default | Description |
---|---|---|
HOST | 0.0.0.0 | Displayed in the Swagger title, with app.title . |
PORT | 8000 | Where to mount the static directory. Disabled if value is falsy. |
LOG_LEVEL | info | log level. |
ALLOW_ORIGINS | ["http://localhost","http://localhost:3000"] | A list of origins that should be permitted to make cross-origin requests. E.g. ['https://example.org', 'https://www.example.org']. You can use ['*'] to allow any origin. These are the URLs clients can make requests from |
ALLOWED_CREDENTIALS | True | Indicate that cookies should be supported for cross-origin requests. Also, allow_origins cannot be set to ['*'] for credentials to be allowed, origins must be specified. |
ALLOWED_METHODS | ["*"] | A list of HTTP methods that should be allowed for cross-origin requests. Defaults to ['*'] to allow all standard methods. You can use ['GET'] to reduce the list. |
ALLOWED_HEADERS | ["Access-Control-Allow-Origin"] | A list of HTTP request headers that should be supported for cross-origin requests. You can use ['*'] to allow all headers. The Accept, Accept-Language, Content-Language and Content-Type headers are always allowed for simple CORS requests |
⚠️
allow_origins
default is["http://localhost","http://localhost:3000"]
, not[]
(80 -> docs, 3000 -> frontend)⚠️
allow_methods
default is["*"]
, not["GET"]
⚠️
allowed_credentials
default isTrue
, notFalse
See the FastAPI documentation on CORS for more information
Values will be cast into a list
of str
, as appropriate.
HOST=0.0.0.0
PORT=8000
LOG_LEVEL=info
ALLOW_ORIGINS=http://localhost,http://localhost:3000
ALLOWED_CREDENTIALS=True
ALLOWED_METHODS=*
ALLOWED_HEADERS=Access-Control-Allow-Origin
Note, this is not required unless you are changing a default or want to declare them all
FAQs
Simple env support of CORS settings for Fastapi applications
We found that fastapi-cors demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CVEForecast.org uses machine learning to project a record-breaking surge in vulnerability disclosures in 2025.
Security News
Browserslist-rs now uses static data to reduce binary size by over 1MB, improving memory use and performance for Rust-based frontend tools.
Research
Security News
Eight new malicious Firefox extensions impersonate games, steal OAuth tokens, hijack sessions, and exploit browser permissions to spy on users.