A simply scoped abstraction to provide CORS settings via environment variables to a Fastapi application.
from fastapi import FastAPI
# during this next line `fastapi_cors.env` will read environment variables from .env
from fastapi_cors import CORS
app = FastAPI()
CORS(app)
A health check route is optionally added that displays these (but not other) environment variables.
If you want to disable it, use the code below
from fastapi import FastAPI
# during this next line `fastapi_cors.env` will read environment variables from .env
from fastapi_cors import CORS
app = FastAPI()
CORS(app, include_health_check=False)
Configure FastAPI as usual. Extra arguments (that can be accessed from app.extra):
| Name | Default | Description |
|---|---|---|
HOST | 0.0.0.0 | Displayed in the Swagger title, with app.title. |
PORT | 8000 | Where to mount the static directory. Disabled if value is falsy. |
LOG_LEVEL | info | log level. |
ALLOW_ORIGINS | ["http://localhost","http://localhost:3000"] | A list of origins that should be permitted to make cross-origin requests. E.g. ['https://example.org', 'https://www.example.org']. You can use ['*'] to allow any origin. These are the URLs clients can make requests from |
ALLOWED_CREDENTIALS | True | Indicate that cookies should be supported for cross-origin requests. Also, allow_origins cannot be set to ['*'] for credentials to be allowed, origins must be specified. |
ALLOWED_METHODS | ["*"] | A list of HTTP methods that should be allowed for cross-origin requests. Defaults to ['*'] to allow all standard methods. You can use ['GET'] to reduce the list. |
ALLOWED_HEADERS | ["Access-Control-Allow-Origin"] | A list of HTTP request headers that should be supported for cross-origin requests. You can use ['*'] to allow all headers. The Accept, Accept-Language, Content-Language and Content-Type headers are always allowed for simple CORS requests |
⚠️
allow_originsdefault is["http://localhost","http://localhost:3000"], not[](80 -> docs, 3000 -> frontend)⚠️
allow_methodsdefault is["*"], not["GET"]⚠️
allowed_credentialsdefault isTrue, notFalseSee the FastAPI documentation on CORS for more information
Values will be cast into a list of str, as appropriate.
HOST=0.0.0.0
PORT=8000
LOG_LEVEL=info
ALLOW_ORIGINS=http://localhost,http://localhost:3000
ALLOWED_CREDENTIALS=True
ALLOWED_METHODS=*
ALLOWED_HEADERS=Access-Control-Allow-Origin
Note, this is not required unless you are changing a default or want to declare them all
FAQs
Simple env support of CORS settings for Fastapi applications
We found that fastapi-cors demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CAI is a new open source AI framework that automates penetration testing tasks like scanning and exploitation up to 3,600× faster than humans.
Security News
Deno 2.4 brings back bundling, improves dependency updates and telemetry, and makes the runtime more practical for real-world JavaScript projects.
Security News
CVEForecast.org uses machine learning to project a record-breaking surge in vulnerability disclosures in 2025.