π CORS in Nexios β
Got it! Iβll go through each CORS configuration setting in Nexios, explaining what it does and how it impacts requests.
π Basic CORS Configuration in Nexios β
Before diving into individual settings, hereβs a simple CORS setup using MakeConfig:
from nexios import MakeConfig
from nexios.middleware.cors import CORSMiddleware
config = MakeConfig({
"cors": {
"allow_origins": ["https://example.com"],
"allow_methods": ["GET", "POST"],
"allow_headers": ["Authorization", "X-Requested-With"],
"allow_credentials": True,
"max_age": 600,
"debug": True
}
})
app = NexiosApp(config = config)we can break it down further:
π allow_origins β
Purpose: Specifies which domains can access the API.
Example:
pythonconfig.cors["allow_origins"] = ["https://example.com", "https://another-site.com"]Special cases:
- Use
["*"]to allow requests from any origin (not safe if credentials are enabled). - If an origin is not listed here, the request will be blocked.
- Use
π« blacklist_origins β
Purpose: Specifies which origins should be blocked, even if they match
allow_origins.Example:
pythonconfig.cors["blacklist_origins"] = ["https://bad-actor.com"]Use case: If you allow all origins (
["*"]), but want to exclude specific ones.
π§ allow_methods β
Purpose: Defines which HTTP methods (GET, POST, etc.) are allowed in cross-origin requests.
Example:
pythonconfig.cors["allow_methods"] = ["GET", "POST", "PUT"]Default: All methods (
["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]) are allowed.
π allow_headers β
Purpose: Specifies which request headers are permitted in cross-origin requests.
Example:
pythonconfig.cors["allow_headers"] = ["Authorization", "X-Custom-Header"]Default: Basic headers like
Accept,Content-Type, etc., are always allowed.
π« blacklist_headers β
Purpose: Defines headers that should not be allowed in requests.
Example:
pythonconfig.cors["blacklist_headers"] = ["X-Disallowed-Header"]Use case: If you allow most headers but want to restrict specific ones.
π allow_credentials β
Purpose: Determines whether credentials (cookies, authorization headers) are allowed in requests.
Example:
pythonconfig.cors["allow_credentials"] = TrueImportant:
- If
True, the browser allows requests with credentials (e.g., session cookies). - If
True,allow_originscannot be"*"(security restriction). - If
False, credentials are blocked.
- If
π― allow_origin_regex β
Purpose: Uses a regex pattern to match allowed origins dynamically.
Example:
pythonconfig.cors["allow_origin_regex"] = r"https://.*\.trusted-site\.com"Use case: When you want to allow multiple subdomains without listing them individually.
ποΈ expose_headers β
Purpose: Specifies which response headers the client is allowed to access.
Example:
pythonconfig.cors["expose_headers"] = ["X-Response-Time"]Default: Only basic headers are exposed unless configured.
β±οΈ max_age β
Purpose: Defines how long the preflight (OPTIONS) response can be cached.
Example:
pythonconfig.cors["max_age"] = 600 # Cache for 10 minutesImpact: Reduces unnecessary preflight requests for frequent API calls.
π strict_origin_checking β
Purpose: If enabled, requests must include an
Originheader.Example:
pythonconfig.cors["strict_origin_checking"] = TrueUse case: When you want to strictly enforce CORS checks, especially for security.
π debug β
Purpose: Enables logging to troubleshoot CORS issues.
Example:
pythonconfig.cors["debug"] = TrueImpact:
- Prints logs when a request is blocked due to CORS.
- Useful for debugging in development.
β custom_error_status & custom_error_messages β
Purpose: Allows custom error handling for CORS failures.
Example:
pythonconfig.cors["custom_error_status"] = 403 config.cors["custom_error_messages"] = { "disallowed_origin": "This origin is not allowed.", "missing_origin": "The request is missing an origin." }Use case: When you want meaningful error messages instead of generic CORS errors.