{"library":"django-cors-headers","title":"Django CORS Headers","description":"django-cors-headers is a Django application that simplifies the handling of server headers required for Cross-Origin Resource Sharing (CORS). It provides a robust and flexible solution to manage cross-origin requests, allowing Django applications to securely interact with frontend applications hosted on different domains. The current version is 4.9.0, and it maintains an active release cadence with regular updates and community support.","status":"active","version":"4.9.0","language":"en","source_language":"en","source_url":"https://github.com/adamchainz/django-cors-headers","tags":["django","cors","security","middleware","http"],"install":[{"cmd":"pip install django-cors-headers","lang":"bash","label":"Install stable version"}],"dependencies":[],"imports":[{"symbol":"CorsMiddleware","correct":"from corsheaders.middleware import CorsMiddleware"}],"quickstart":{"code":"# settings.py\n\nINSTALLED_APPS = [\n    # ... other apps\n    'corsheaders',\n    # ...\n]\n\nMIDDLEWARE = [\n    'corsheaders.middleware.CorsMiddleware',\n    'django.middleware.security.SecurityMiddleware',\n    'django.contrib.sessions.middleware.SessionMiddleware',\n    'django.middleware.common.CommonMiddleware',\n    'django.middleware.csrf.CsrfViewMiddleware',\n    'django.contrib.auth.middleware.AuthenticationMiddleware',\n    'django.contrib.messages.middleware.MessageMiddleware',\n    'django.middleware.clickjacking.XFrameOptionsMiddleware',\n    # ... other middleware\n]\n\n# Whitelist specific origins. In production, avoid CORS_ALLOW_ALL_ORIGINS = True.\nCORS_ALLOWED_ORIGINS = [\n    \"http://localhost:3000\",\n    \"http://127.0.0.1:3000\",\n    # Add your frontend domains here, e.g., \"https://yourfrontend.com\"\n]\n\n# Optional: Allow credentials (cookies, auth headers) to be sent cross-origin\n# CORS_ALLOW_CREDENTIALS = True\n\n# Optional: If you need to allow all origins for development (use with caution in production!)\n# CORS_ALLOW_ALL_ORIGINS = False # Set to True for development, but remove for production\n\n# Example for allowing specific HTTP methods if you deviate from default allowed methods\n# CORS_ALLOW_METHODS = [\n#     'DELETE',\n#     'GET',\n#     'OPTIONS',\n#     'PATCH',\n#     'POST',\n#     'PUT',\n# ]","lang":"python","description":"To quickly enable CORS, install the package, then add `corsheaders` to your `INSTALLED_APPS` and `CorsMiddleware` to the top of your `MIDDLEWARE` list in `settings.py`. Finally, configure `CORS_ALLOWED_ORIGINS` with a list of allowed frontend domains. For development, `CORS_ALLOW_ALL_ORIGINS = True` can be used temporarily but is not recommended for production due to security risks. Remember that middleware order is crucial for correct functionality."},"warnings":[{"fix":"Ensure 'corsheaders.middleware.CorsMiddleware' is the first entry in your MIDDLEWARE setting in settings.py.","message":"Middleware order is critical. `CorsMiddleware` must be placed at the very top of your `MIDDLEWARE` list, before any other middleware (like `SecurityMiddleware` or `CsrfViewMiddleware`) that might block preflight `OPTIONS` requests or prevent CORS headers from being added correctly.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Update your settings to use `CORS_ALLOWED_ORIGINS` instead of `CORS_ORIGIN_WHITELIST`, and ensure all origins include their full URI scheme (e.g., 'http://localhost:3000').","message":"Since version 3.0.0, `CORS_ORIGIN_WHITELIST` was renamed to `CORS_ALLOWED_ORIGINS`. Additionally, allowed origins now *require* URI schemes (e.g., 'https://example.com' instead of 'example.com') and optionally ports, fixing a security issue with scheme-mixing.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"In production, always use `CORS_ALLOWED_ORIGINS` to specify a list of trusted origins. For dynamic origins, consider `CORS_ALLOWED_ORIGIN_REGEXES`.","message":"Avoid using `CORS_ALLOW_ALL_ORIGINS = True` in production environments as it poses a significant security risk by allowing any domain to access your resources. Be specific with `CORS_ALLOWED_ORIGINS`.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Set `CORS_ALLOW_CREDENTIALS = True` in `settings.py` and configure your frontend to send credentials. Adjust `SESSION_COOKIE_SAMESITE = 'None'` if necessary for session cookies to be sent cross-domain.","message":"If you are sending credentials (like cookies or authorization headers) from your frontend, you must set `CORS_ALLOW_CREDENTIALS = True` in your Django settings and also configure your frontend client (e.g., `withCredentials: true` for Axios or `credentials: 'include'` for Fetch API). Additionally, be aware of Django's `SESSION_COOKIE_SAMESITE` setting (default 'Lax' in Django 2.1+) which might prevent session cookies from being sent cross-domain; change to 'None' if needed.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Configure CORS policies directly on your CDN, cloud storage bucket, or web server (Nginx/Apache) for assets served from those locations.","message":"If you are serving static files or other assets from a different domain (e.g., a CDN or cloud storage like GCP), CORS headers must be configured on the *server hosting those assets*, not just in your Django application. `django-cors-headers` only handles headers for requests served by Django itself.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Remove `CORS_REPLACE_HTTPS_REFERER` and `CorsPostCsrfMiddleware`. Configure `CSRF_TRUSTED_ORIGINS` in your `settings.py` with your trusted frontend origins.","message":"The `CORS_REPLACE_HTTPS_REFERER` setting and `CorsPostCsrfMiddleware` were removed. For making CSRF checks pass for CORS requests, Django's `CSRF_TRUSTED_ORIGINS` setting is the preferred and modern solution.","severity":"deprecated","affected_versions":">=3.1.0"}],"env_vars":null,"last_verified":"2026-04-05T00:00:00.000Z","next_check":"2026-07-04T00:00:00.000Z"}