0
0
FastAPIframework~10 mins

CORS middleware setup in FastAPI - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - CORS middleware setup
Start FastAPI app
Import CORS middleware
Configure allowed origins, methods, headers
Add CORS middleware to app
Run app with CORS enabled
Browser sends request
Middleware checks origin
Allow request
Response sent with CORS headers
This flow shows how FastAPI sets up CORS middleware to check incoming requests' origins and allow or block them accordingly.
Execution Sample
FastAPI
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com"],
    allow_methods=["GET", "POST"],
    allow_headers=["*"],
)
This code creates a FastAPI app and adds CORS middleware allowing only https://example.com to make GET and POST requests.
Execution Table
StepActionInput/StateMiddleware CheckResult
1Start appNo requests yetNo checkApp ready
2Add CORS middlewareallow_origins=['https://example.com']ConfiguredMiddleware active
3Incoming requestOrigin: https://example.com, Method: GETOrigin allowed?Allowed
4Send responseInclude CORS headersHeaders addedResponse sent with CORS headers
5Incoming requestOrigin: https://notallowed.com, Method: GETOrigin allowed?Blocked
6Send responseNo CORS headersRequest rejectedResponse sent without CORS headers
7Incoming requestOrigin: https://example.com, Method: DELETEMethod allowed?Blocked
8Send responseNo CORS headersRequest rejectedResponse sent without CORS headers
💡 Requests blocked if origin or method not allowed; otherwise, allowed with CORS headers.
Variable Tracker
VariableStartAfter Step 2After Step 3After Step 5After Step 7
allow_origins[]["https://example.com"]["https://example.com"]["https://example.com"]["https://example.com"]
allow_methods[]["GET", "POST"]["GET", "POST"]["GET", "POST"]["GET", "POST"]
request_originNoneNone"https://example.com""https://notallowed.com""https://example.com"
request_methodNoneNone"GET""GET""DELETE"
request_allowedFalseFalseTrueFalseFalse
Key Moments - 3 Insights
Why does a request from https://notallowed.com get blocked even if the method is GET?
Because the middleware checks the origin first and blocks any origin not in allow_origins, as shown in execution_table step 5.
What happens if the request method is DELETE but the origin is allowed?
The middleware blocks the request because DELETE is not in allow_methods, as shown in execution_table step 7.
Why are CORS headers only added to some responses?
CORS headers are added only when the request passes origin and method checks, as seen in steps 4 and blocked in steps 6 and 8.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the value of request_allowed at step 3?
ATrue
BFalse
CNone
DError
💡 Hint
Check the 'request_allowed' column in variable_tracker after step 3.
At which step does the middleware block a request due to an unallowed origin?
AStep 3
BStep 5
CStep 7
DStep 4
💡 Hint
Look at execution_table rows where 'Result' is 'Blocked' and check the 'Input/State' for origin.
If you add 'DELETE' to allow_methods, which step's result would change?
AStep 3
BStep 5
CStep 7
DStep 8
💡 Hint
Check the step where method DELETE is blocked and see what would happen if it was allowed.
Concept Snapshot
FastAPI CORS middleware setup:
- Import CORSMiddleware
- Add middleware with app.add_middleware(CORSMiddleware, allow_origins=[...], allow_methods=[...], allow_headers=[...])
- Middleware checks each request's Origin and Method
- Allows requests matching config, blocks others
- Adds CORS headers only to allowed requests
Full Transcript
This visual execution shows how to set up CORS middleware in FastAPI. First, the app imports and adds CORSMiddleware with specific allowed origins and methods. When a request comes in, the middleware checks if the origin is in the allowed list and if the method is permitted. If both checks pass, the request is allowed and CORS headers are added to the response. Otherwise, the request is blocked and no CORS headers are sent. The variable tracker shows how request origin, method, and allowed status change step by step. Key moments clarify why some requests are blocked. The quiz tests understanding of these steps.