How to Use CORS Middleware in Django: Simple Setup Guide
To use
corsheaders middleware in Django, first install the django-cors-headers package, then add 'corsheaders.middleware.CorsMiddleware' to your MIDDLEWARE list before 'django.middleware.common.CommonMiddleware'. Finally, configure allowed origins with the CORS_ALLOWED_ORIGINS setting in your settings.py.Syntax
Using CORS middleware in Django involves three main steps:
- Install the
django-cors-headerspackage. - Add
'corsheaders.middleware.CorsMiddleware'to theMIDDLEWARElist insettings.py, placing it before'django.middleware.common.CommonMiddleware'. - Set allowed origins using
CORS_ALLOWED_ORIGINSor other related settings.
This setup enables your Django app to accept cross-origin HTTP requests from specified domains.
python
INSTALLED_APPS = [
...
'corsheaders',
...
]
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
...
]
CORS_ALLOWED_ORIGINS = [
'https://example.com',
'https://sub.example.com',
]Example
This example shows a minimal Django settings.py configuration to enable CORS for two specific domains. It demonstrates how to install the package, update middleware, and set allowed origins.
python
# Install the package first: # pip install django-cors-headers # settings.py INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'corsheaders', # other apps ] MIDDLEWARE = [ 'corsheaders.middleware.CorsMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.middleware.common.CommonMiddleware', # other middleware ] CORS_ALLOWED_ORIGINS = [ 'https://example.com', 'https://myfrontend.com', ] # Optional: allow all origins (not recommended for production) # CORS_ALLOW_ALL_ORIGINS = True
Output
Django server will accept cross-origin requests only from https://example.com and https://myfrontend.com domains.
Common Pitfalls
- Not installing
django-cors-headersbefore configuring middleware causes errors. - Placing
CorsMiddlewareafterCommonMiddlewareprevents it from working properly. - Forgetting to add
'corsheaders'toINSTALLED_APPSwill disable the middleware. - Setting
CORS_ALLOWED_ORIGINSincorrectly or leaving it empty blocks all cross-origin requests. - Using
CORS_ALLOW_ALL_ORIGINS = Truein production can expose your API to security risks.
python
# Wrong order example (does NOT work): MIDDLEWARE = [ 'django.middleware.common.CommonMiddleware', 'corsheaders.middleware.CorsMiddleware', ... ] # Correct order example: MIDDLEWARE = [ 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', ... ]
Quick Reference
| Setting | Purpose | Example Value |
|---|---|---|
| INSTALLED_APPS | Add 'corsheaders' to enable middleware | ['corsheaders', ...] |
| MIDDLEWARE | Add 'corsheaders.middleware.CorsMiddleware' before CommonMiddleware | ['corsheaders.middleware.CorsMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.middleware.common.CommonMiddleware', ...] |
| CORS_ALLOWED_ORIGINS | List of allowed domains for cross-origin requests | ['https://example.com', 'https://myfrontend.com'] |
| CORS_ALLOW_ALL_ORIGINS | Allow all origins (use with caution) | True or False |
Key Takeaways
Install django-cors-headers and add it to INSTALLED_APPS before using the middleware.
Place CorsMiddleware at the top of the MIDDLEWARE list before CommonMiddleware.
Use CORS_ALLOWED_ORIGINS to specify which domains can access your Django API.
Avoid enabling CORS_ALLOW_ALL_ORIGINS in production to keep your app secure.
Check middleware order and settings carefully to prevent CORS errors.