Flask-CORS
raw JSON → 6.0.2 verified Tue May 12 auth: no python install: verified quickstart: stale
Flask-CORS is a Flask extension that simplifies the implementation of Cross-Origin Resource Sharing (CORS) in Flask applications, enabling cross-origin AJAX requests. It supports global, resource-specific, and route-specific CORS configurations. The current version is 6.0.2, and it maintains an active release cadence with regular updates and security patches.
pip install Flask-CORS Common errors
error ModuleNotFoundError: No module named 'flask_cors' ↓
cause The 'flask-cors' package has not been installed in your Python environment or is not accessible in the environment where your Flask application is running.
fix
Install the package using pip:
pip install flask-cors error Access to fetch at 'http://your-flask-app.com/api' from origin 'http://your-frontend.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. ↓
cause Your Flask server is not configured to send the 'Access-Control-Allow-Origin' header, which is required by browsers to allow cross-origin requests from your frontend application. This often happens because Flask-CORS is not initialized or configured correctly to allow the specific origin of the client application.
fix
Initialize Flask-CORS on your Flask app, specifying the allowed origins. For all origins (development):
from flask_cors import CORS; CORS(app). For specific origins: CORS(app, origins=['http://your-frontend.com']) error Method Not Allowed (405) ↓
cause This error, in the context of CORS, often occurs during a preflight OPTIONS request or for complex requests (e.g., PUT, DELETE with custom headers) where the Flask-CORS configuration does not explicitly allow the HTTP method being used or the necessary headers for the preflight response.
fix
Ensure
flask-cors is configured to allow the specific HTTP methods and headers for your routes. When initializing CORS(app), you can specify methods=['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'] and headers=['Content-Type', 'Authorization'] (adjust as needed). Also, ensure OPTIONS requests are handled, which Flask-CORS does by default when enabled globally or per route with @cross_origin(). error Access to XMLHttpRequest at 'http://your-flask-app.com/data' from origin 'http://localhost:3000' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. ↓
cause You are attempting to make a cross-origin request with credentials (e.g., cookies, HTTP authentication) while the server's 'Access-Control-Allow-Origin' header is set to '*', which is not permitted by the W3C CORS specification for security reasons.
fix
When using
supports_credentials=True in CORS(app, supports_credentials=True), you must specify exact origins instead of the wildcard '*'. Change CORS(app) or CORS(app, origins='*') to CORS(app, origins=['http://localhost:3000'], supports_credentials=True) (replace 'http://localhost:3000' with your actual frontend origin). Warnings
breaking In version 6.0.0, the path specificity ordering for CORS rules changed to improve specificity. This might alter how CORS rules are applied if your application relied on the previous, less specific ordering. Additionally, `urllib.unquote_plus` was replaced with `urllib.unquote`, and request path matching became case-sensitive. ↓
fix Review your CORS configurations, especially those with multiple resource paths, to ensure they match the new specificity order. Test cross-origin requests thoroughly to confirm expected behavior. Ensure your application's request paths are consistently cased if matching rules rely on it.
breaking Version 5.0.0 introduced a breaking change by defaulting to disable private network access. This was a security enhancement. If your application needs to make requests to private network resources from a public-facing origin, you will need to explicitly re-enable this functionality. ↓
fix If your application requires private network access, consult the Flask-CORS documentation for the specific configuration option to re-enable it. Typically, this involves setting a configuration flag.
breaking Version 4.0.0 dropped support for Python versions older than 3.8. Applications running on Python 3.7 or earlier will not be able to upgrade to Flask-CORS 4.0.0 or newer. ↓
fix Upgrade your Python environment to 3.8 or newer before upgrading to Flask-CORS 4.0.0+.
gotcha Enabling `supports_credentials=True` allows browsers to send cookies and HTTP authentication headers with cross-origin requests. While necessary for authenticated requests, it introduces security implications and should always be used in conjunction with robust CSRF protection. ↓
fix Implement CSRF protection (e.g., Flask-WTF CSRFProtect) when `supports_credentials=True` is enabled. Carefully define `origins` to restrict access to trusted domains only.
gotcha Using `origins='*'` (allowing all origins) is generally not recommended for production environments due to security risks. It can expose your API to unintended access. ↓
fix Always specify a list of explicit, trusted `origins` (e.g., `origins=['http://localhost:3000', 'https://your-frontend.com']`) instead of `*` in production deployments.
gotcha When specifying `origins` in `CORS` or `@cross_origin`, ensure you include the full schema (http/https) and the port number (if not the default 80 or 443). For example, `http://localhost:8000` is correct, while `localhost:8000` or `http://localhost` (if on a non-default port) might not work. ↓
fix Always provide complete origin URLs, including schema and port, in the `origins` list or string.
gotcha The `cross_origin` decorator/function must be explicitly imported from `flask_cors` before use, otherwise a `NameError` will occur. ↓
fix Ensure `cross_origin` is imported from `flask_cors` (e.g., `from flask_cors import cross_origin`).
gotcha The `cross_origin` decorator must be explicitly imported from `flask_cors` before use. Failing to import it (e.g., `from flask_cors import cross_origin`) will result in a `NameError`. ↓
fix Ensure that `from flask_cors import cross_origin` is included at the top of any file where the `@cross_origin` decorator is used.
Install compatibility verified last tested: 2026-05-12
python os / libc status wheel install import disk
3.10 alpine (musl) wheel - 0.47s 22.5M
3.10 alpine (musl) - - 0.49s 22.5M
3.10 slim (glibc) wheel 2.1s 0.40s 23M
3.10 slim (glibc) - - 0.36s 23M
3.11 alpine (musl) wheel - 0.60s 25.2M
3.11 alpine (musl) - - 0.66s 25.1M
3.11 slim (glibc) wheel 2.4s 0.55s 26M
3.11 slim (glibc) - - 0.50s 26M
3.12 alpine (musl) wheel - 0.52s 16.8M
3.12 alpine (musl) - - 0.54s 16.8M
3.12 slim (glibc) wheel 2.1s 0.55s 17M
3.12 slim (glibc) - - 0.53s 17M
3.13 alpine (musl) wheel - 0.50s 16.6M
3.13 alpine (musl) - - 0.56s 16.5M
3.13 slim (glibc) wheel 2.1s 0.51s 17M
3.13 slim (glibc) - - 0.53s 17M
3.9 alpine (musl) wheel - 0.41s 22.2M
3.9 alpine (musl) - - 0.43s 22.2M
3.9 slim (glibc) wheel 2.7s 0.40s 23M
3.9 slim (glibc) - - 0.35s 23M
Imports
- CORS wrong
from flask.ext.cors import CORScorrectfrom flask_cors import CORS - cross_origin
from flask_cors import cross_origin
Quickstart stale last tested: 2026-04-24
from flask import Flask
from flask_cors import CORS
import os
app = Flask(__name__)
CORS(app) # Enable CORS for all routes, for all origins and methods
@app.route("/")
def hello_world():
return "Hello, cross-origin-world!"
# Example of specific CORS for an API endpoint
@app.route("/api/data")
@cross_origin(origins="http://localhost:3000", methods=["GET", "POST"], supports_credentials=True)
def get_data():
return {"message": "Data from API!"}
if __name__ == '__main__':
app.run(debug=True, port=int(os.environ.get('PORT', 5000)))