{"id":5450,"library":"quart-cors","title":"Quart-CORS","description":"Quart-CORS is an extension for Quart, an async Python web application framework, designed to provide Cross-Origin Resource Sharing (CORS) access control support. It simplifies the process of adding necessary CORS headers to your Quart application or specific routes and WebSockets. The library is actively maintained, with its current version being 0.8.0, and receives regular updates to keep pace with Quart and web standards.","status":"active","version":"0.8.0","language":"en","source_language":"en","source_url":"https://github.com/pgjones/quart-cors","tags":["Quart","CORS","web development","ASGI","HTTP","async"],"install":[{"cmd":"pip install quart-cors","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core web framework that quart-cors extends.","package":"quart","optional":false},{"reason":"Provides backported and experimental type hints.","package":"typing-extensions","optional":false}],"imports":[{"note":"Used to apply CORS settings application-wide or to a blueprint.","symbol":"cors","correct":"from quart_cors import cors"},{"note":"Decorator for applying CORS settings to individual HTTP routes.","symbol":"route_cors","correct":"from quart_cors import route_cors"},{"note":"Decorator for applying CORS settings to individual WebSocket handlers.","symbol":"websocket_cors","correct":"from quart_cors import websocket_cors"},{"note":"Decorator to exempt a route or WebSocket handler from global CORS settings.","symbol":"cors_exempt","correct":"from quart_cors import cors_exempt"}],"quickstart":{"code":"from quart import Quart, request\nfrom quart_cors import cors, route_cors\n\napp = Quart(__name__)\n\n# Apply CORS to the entire application, allowing all origins\n# For production, specify allowed origins instead of '*'\napp = cors(app, allow_origin='*')\n\n@app.route('/')\nasync def hello():\n    return 'Hello, Quart-CORS!'\n\n@app.route('/api/data', methods=['GET', 'POST'])\n@route_cors(allow_origin='https://example.com', allow_methods=['GET', 'POST'], allow_headers=['Content-Type'])\nasync def api_data():\n    if request.method == 'GET':\n        return {'message': 'This is your data!'}\n    elif request.method == 'POST':\n        data = await request.get_json()\n        return {'received': data, 'message': 'Data posted successfully!'}\n\nif __name__ == '__main__':\n    app.run()","lang":"python","description":"This quickstart demonstrates how to initialize a Quart application and apply CORS globally using `cors(app, allow_origin='*')`. It also shows how to use the `route_cors` decorator to apply more specific CORS rules to an individual API endpoint, allowing GET and POST requests from a specific origin with custom headers. Remember to replace `allow_origin='*'` with specific origins in production for security."},"warnings":[{"fix":"If `allow_credentials` is true, explicitly list all allowed origins (e.g., `allow_origin=['https://your-frontend.com']`) instead of using `'*'`.","message":"When `allow_credentials=True`, the `allow_origin` parameter MUST NOT be a wildcard (`*`). Instead, it must be a specific origin or a list of specific origins, as required by the CORS specification for security reasons.","severity":"breaking","affected_versions":"All versions"},{"fix":"Clear browser cache (especially for the affected domain) or disable cache in browser developer tools (Network tab) when debugging CORS issues. Consider setting appropriate `Access-Control-Max-Age` headers on your server.","message":"Aggressive browser caching (especially in Chrome) can lead to CORS errors persisting even after server-side fixes are deployed. Browsers might cache preflight `OPTIONS` responses, leading to outdated CORS headers being used.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure your frontend understands this behavior. `quart-cors` handles this dynamically for you if you provide a list of allowed origins, but be aware that the browser will only see one origin in the response header.","message":"As of Quart 0.11.1, the CORS specification dictates that only a single origin (or a wildcard) can be returned in the `Access-Control-Allow-Origin` header. If multiple specific origins are allowed by `quart-cors`, the library will dynamically set the header to the requesting origin if it's in the allowed list.","severity":"breaking","affected_versions":">=0.11.1 of Quart (affecting quart-cors's behavior)"},{"fix":"Always use `quart-cors` for Quart applications to ensure proper asynchronous handling of CORS headers.","message":"Attempting to use `Flask-CORS` with a Quart application will not work, as `Flask-CORS` relies on synchronous `app.make_response` calls which are incompatible with Quart's async nature.","severity":"breaking","affected_versions":"All versions"},{"fix":"Regularly update both `quart` and `quart-cors`. If encountering unexpected behavior after an update, check the changelogs for both libraries for any breaking changes or specific compatibility notes.","message":"While `quart-cors` is generally backward compatible with `Quart`, ensure that `quart` and `quart-cors` versions are reasonably aligned. Significant version jumps of `Quart` might introduce subtle incompatibilities.","severity":"gotcha","affected_versions":"All versions, especially with older Quart versions (e.g., Quart < 0.11.1 with newer quart-cors features)"}],"env_vars":null,"last_verified":"2026-04-13T00:00:00.000Z","next_check":"2026-07-12T00:00:00.000Z"}