Security News
New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025
CVEForecast.org uses machine learning to project a record-breaking surge in vulnerability disclosures in 2025.
By Sarah Gooding - Jul 07, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
- Maintainers
- 1
fastapi-cors
A simply scoped abstraction to provide CORS settings via environment variables to a Fastapi application.
Usage
from fastapi import FastAPI
# during this next line `fastapi_cors.env` will read environment variables from .env
from fastapi_cors import CORS
app = FastAPI()
CORS(app)
Opinions
A health check route is optionally added that displays these (but not other) environment variables.
If you want to disable it, use the code below
from fastapi import FastAPI
# during this next line `fastapi_cors.env` will read environment variables from .env
from fastapi_cors import CORS
app = FastAPI()
CORS(app, include_health_check=False)
Config
Configure FastAPI as usual. Extra arguments (that can be accessed from app.extra):
| Name | Default | Description |
|---|---|---|
HOST | 0.0.0.0 | Displayed in the Swagger title, with app.title. |
PORT | 8000 | Where to mount the static directory. Disabled if value is falsy. |
LOG_LEVEL | info | log level. |
ALLOW_ORIGINS | ["http://localhost","http://localhost:3000"] | A list of origins that should be permitted to make cross-origin requests. E.g. ['https://example.org', 'https://www.example.org']. You can use ['*'] to allow any origin. These are the URLs clients can make requests from |
ALLOWED_CREDENTIALS | True | Indicate that cookies should be supported for cross-origin requests. Also, allow_origins cannot be set to ['*'] for credentials to be allowed, origins must be specified. |
ALLOWED_METHODS | ["*"] | A list of HTTP methods that should be allowed for cross-origin requests. Defaults to ['*'] to allow all standard methods. You can use ['GET'] to reduce the list. |
ALLOWED_HEADERS | ["Access-Control-Allow-Origin"] | A list of HTTP request headers that should be supported for cross-origin requests. You can use ['*'] to allow all headers. The Accept, Accept-Language, Content-Language and Content-Type headers are always allowed for simple CORS requests |
⚠️
allow_originsdefault is["http://localhost","http://localhost:3000"], not[](80 -> docs, 3000 -> frontend)⚠️
allow_methodsdefault is["*"], not["GET"]⚠️
allowed_credentialsdefault isTrue, notFalseSee the FastAPI documentation on CORS for more information
Example Env
Values will be cast into a list of str, as appropriate.
HOST=0.0.0.0
PORT=8000
LOG_LEVEL=info
ALLOW_ORIGINS=http://localhost,http://localhost:3000
ALLOWED_CREDENTIALS=True
ALLOWED_METHODS=*
ALLOWED_HEADERS=Access-Control-Allow-Origin
Note, this is not required unless you are changing a default or want to declare them all
FAQs
Simple env support of CORS settings for Fastapi applications
We found that fastapi-cors demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Browserslist-rs Gets Major Refactor, Cutting Binary Size by Over 1MB
Browserslist-rs now uses static data to reduce binary size by over 1MB, improving memory use and performance for Rust-based frontend tools.
By Sarah Gooding - Jul 04, 2025
Research
Security News
8 More Malicious Firefox Extensions: Exploiting Popular Game Recognition, Hijacking User Sessions, and Stealing OAuth Credentials
Eight new malicious Firefox extensions impersonate games, steal OAuth tokens, hijack sessions, and exploit browser permissions to spy on users.
By Kush Pandya - Jul 04, 2025