Bird
Raised Fist0
FastAPIframework~5 mins

CORS middleware setup in FastAPI - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What does CORS stand for and why is it important in web development?
CORS stands for Cross-Origin Resource Sharing. It is important because it controls how resources on a web server can be requested from another domain, helping to keep web applications secure by preventing unauthorized cross-origin requests.
Click to reveal answer
beginner
How do you add CORS middleware in a FastAPI application?
You add CORS middleware by importing CORSMiddleware from fastapi.middleware.cors and then using app.add_middleware() with CORSMiddleware, specifying allowed origins, methods, headers, and optionally allow_credentials.
Click to reveal answer
beginner
What is the purpose of the 'allow_origins' parameter in FastAPI's CORSMiddleware?
'allow_origins' defines which domains are allowed to make cross-origin requests to your FastAPI app. It can be a list of URLs or ['*'] to allow all origins.
Click to reveal answer
intermediate
Why should you avoid setting 'allow_origins' to ['*'] in production?
Setting 'allow_origins' to ['*'] allows any website to access your API, which can be a security risk. It's better to specify trusted domains to limit access.
Click to reveal answer
beginner
Show a simple example of CORS middleware setup in FastAPI allowing only 'https://example.com'.
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

# This setup allows only https://example.com to access the API.
Click to reveal answer
What does the 'allow_methods' parameter in FastAPI's CORSMiddleware control?
AWhich HTTP methods are allowed for cross-origin requests
BWhich domains can access the API
CWhether cookies are allowed
DThe maximum request size
Which FastAPI import is needed to add CORS middleware?
Afrom fastapi.cors import Middleware
Bfrom fastapi.middleware import CORS
Cfrom fastapi.middleware.cors import CORSMiddleware
Dfrom fastapi.middleware.cors import Middleware
What happens if you set 'allow_origins' to ['*'] in CORSMiddleware?
ANo origins are allowed
BAll origins are allowed to access the API
COnly localhost is allowed
DOnly HTTPS origins are allowed
Which parameter allows cookies to be sent in cross-origin requests in FastAPI's CORSMiddleware?
Aallow_methods
Ballow_headers
Callow_origins
Dallow_credentials
Why is CORS middleware necessary in a FastAPI app?
ATo control and secure cross-origin HTTP requests
BTo speed up the API responses
CTo handle database connections
DTo manage user authentication
Explain how to set up CORS middleware in a FastAPI app to allow only specific domains.
Think about the parameters you pass to CORSMiddleware and how they control access.
You got /5 concepts.
    Describe the security implications of using a wildcard '*' for allow_origins in CORS middleware.
    Consider what happens when you open access to everyone.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of adding CORS middleware in a FastAPI application?
      easy
      A. To speed up the API response time
      B. To control which external websites can access your API
      C. To handle database connections securely
      D. To log all incoming requests for debugging

      Solution

      1. Step 1: Understand CORS middleware role

        CORS middleware is used to manage cross-origin requests, which means controlling which websites can call your API.

      2. Step 2: Identify the correct purpose

        Among the options, only controlling external website access matches the role of CORS middleware.

      3. Final Answer:

        To control which external websites can access your API -> Option B

      4. Quick Check:

        CORS controls access permissions [OK]
      Hint: Remember: CORS = Cross-Origin Resource Sharing control [OK]
      Common Mistakes:
      • Confusing CORS with performance optimization
      • Thinking CORS manages database security
      • Assuming CORS logs requests
      2. Which of the following is the correct way to add CORS middleware in FastAPI?
      easy
      A. app.middleware(CORSMiddleware, allow_origins=["*"])
      B. app.use(CORSMiddleware, allow_origins=["*"])
      C. app.add_middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["GET"])
      D. app.add_cors(allow_origins=["*"])

      Solution

      1. Step 1: Recall FastAPI middleware syntax

        FastAPI uses app.add_middleware() to add middleware components like CORSMiddleware.

      2. Step 2: Check option syntax correctness

        app.add_middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["GET"]) uses app.add_middleware with CORSMiddleware and proper parameters, matching FastAPI docs.

      3. Final Answer:

        app.add_middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["GET"]) -> Option C

      4. Quick Check:

        Use add_middleware() to add CORS [OK]
      Hint: FastAPI middleware always uses add_middleware() method [OK]
      Common Mistakes:
      • Using app.use() which is not FastAPI syntax
      • Trying app.middleware() instead of add_middleware()
      • Calling a non-existent add_cors() method
      3. Given this FastAPI code snippet, what will be the effect of the CORS middleware? 
      from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com"],
    allow_methods=["GET", "POST"],
    allow_headers=["*"],
)

@app.get("/")
async def root():
    return {"message": "Hello"}
      medium
      A. Only requests from https://example.com with GET or POST methods are allowed
      B. All origins and methods are allowed
      C. No requests are allowed because allow_origins is too restrictive
      D. Only GET requests from any origin are allowed

      Solution

      1. Step 1: Analyze allow_origins and allow_methods

        allow_origins is set to ["https://example.com"], so only that origin is allowed. allow_methods includes GET and POST.

      2. Step 2: Determine request permissions

        Requests from other origins or methods not in GET/POST will be blocked by CORS policy.

      3. Final Answer:

        Only requests from https://example.com with GET or POST methods are allowed -> Option A

      4. Quick Check:

        allow_origins and allow_methods restrict access [OK]
      Hint: Check allow_origins and allow_methods lists carefully [OK]
      Common Mistakes:
      • Assuming allow_origins=["*"] when it is not
      • Ignoring allow_methods restrictions
      • Thinking all origins are allowed by default
      4. Identify the error in this FastAPI CORS middleware setup: 
      app.add_middleware(
    CORSMiddleware,
    allow_origins="*",
    allow_methods=["GET", "POST"],
    allow_headers=["*"]
)
      medium
      A. CORSMiddleware must be imported from fastapi.middleware.security
      B. allow_methods should be a string, not a list
      C. allow_headers cannot contain '*'
      D. allow_origins should be a list, not a string

      Solution

      1. Step 1: Check allow_origins type

        allow_origins must be a list of strings, but here it is a single string "*".

      2. Step 2: Verify other parameters

        allow_methods is correctly a list, allow_headers can accept ["*"] as a list.

      3. Final Answer:

        allow_origins should be a list, not a string -> Option D

      4. Quick Check:

        allow_origins requires a list [OK]
      Hint: Always use a list for allow_origins, even if one item [OK]
      Common Mistakes:
      • Passing allow_origins as a string instead of list
      • Misunderstanding allow_methods type
      • Wrong import path for CORSMiddleware
      5. You want your FastAPI backend to accept requests from two frontend domains: https://app1.example.com and https://app2.example.com. You also want to allow all HTTP methods and headers. Which CORS middleware setup is correct?
      hard
      A. app.add_middleware(CORSMiddleware, allow_origins=["https://app1.example.com", "https://app2.example.com"], allow_methods=["*"], allow_headers=["*"])
      B. app.add_middleware(CORSMiddleware, allow_origins=["*"])
      C. app.add_middleware(CORSMiddleware, allow_origins=["https://app1.example.com", "https://app2.example.com"], allow_methods=["GET", "POST"], allow_headers=["Content-Type"])
      D. app.add_middleware(CORSMiddleware, allow_origins="https://app1.example.com,https://app2.example.com", allow_methods=["*"], allow_headers=["*"])

      Solution

      1. Step 1: Set allow_origins correctly

        To allow two specific domains, use a list with both URLs as strings.

      2. Step 2: Allow all methods and headers

        Using ["*"] for allow_methods and allow_headers allows all HTTP methods and headers.

      3. Step 3: Check for syntax correctness

        app.add_middleware(CORSMiddleware, allow_origins=["https://app1.example.com", "https://app2.example.com"], allow_methods=["*"], allow_headers=["*"]) correctly uses a list for origins and lists with "*" for methods and headers.

      4. Final Answer:

        app.add_middleware(CORSMiddleware, allow_origins=["https://app1.example.com", "https://app2.example.com"], allow_methods=["*"], allow_headers=["*"]) -> Option A

      5. Quick Check:

        List origins + wildcard methods/headers [OK]
      Hint: Use list for origins and ["*"] to allow all methods/headers [OK]
      Common Mistakes:
      • Passing origins as a single comma string
      • Using allow_methods with limited verbs instead of wildcard
      • Setting allow_origins to ["*"] when only specific domains needed