# django-cors-headers
> django-cors-headers is a Django application for handling the server headers required for Cross-Origin Resource Sharing (CORS).
- **URL**: https://www.freshcrate.ai/projects/django-cors-headers
- **Author**: pypi
- **Category**: Frameworks
- **Latest version**: `main@2026-06-01` (2026-06-01)
- **License**: Unknown
- **Source**: https://github.com/adamchainz/django-cors-headers/blob/main/CHANGELOG.rst
- **Homepage**: https://pypi.org/project/django-cors-headers/
- **Language**: Python
- **GitHub**: 5,602 stars, 546 forks
- **Registry**: pypi (`django-cors-headers`)
- **Tags**: `api`, `cors`, `django`, `middleware`, `pypi`, `rest`
## Description
===================
django-cors-headers
===================
.. image:: https://img.shields.io/github/actions/workflow/status/adamchainz/django-cors-headers/main.yml.svg?branch=main&style=for-the-badge
:target: https://github.com/adamchainz/django-cors-headers/actions?workflow=CI
.. image:: https://img.shields.io/badge/Coverage-100%25-success?style=for-the-badge
:target: https://github.com/adamchainz/django-cors-headers/actions?workflow=CI
.. image:: https://img.shields.io/pypi/v/django-cors-headers.svg?style=for-the-badge
:target: https://pypi.org/project/django-cors-headers/
.. image:: https://img.shields.io/badge/code%20style-black-000000.svg?style=for-the-badge
:target: https://github.com/psf/black
.. image:: https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white&style=for-the-badge
:target: https://github.com/pre-commit/pre-commit
:alt: pre-commit
A Django App that adds Cross-Origin Resource Sharing (CORS) headers to
responses. This allows in-browser requests to your Django application from
other origins.
----
**Improve your Django and Git skills** with `my books `__.
----
About CORS
----------
Adding CORS headers allows your resources to be accessed on other domains. It's
important you understand the implications before adding the headers, since you
could be unintentionally opening up your site's private data to others.
Some good resources to read on the subject are:
* Julia Evans' `introductory comic `__ and
`educational quiz `__.
* Jake Archibald’s `How to win at CORS `__
* The `MDN Article `_
* The `web.dev Article `_
* The `Wikipedia Page `_
Requirements
------------
Python 3.9 to 3.14 supported.
Django 4.2 to 6.0 supported.
Setup
-----
Install from **pip**:
.. code-block:: sh
python -m pip install django-cors-headers
and then add it to your installed apps:
.. code-block:: python
INSTALLED_APPS = [
...,
"corsheaders",
...,
]
Make sure you add the trailing comma or you might get a ``ModuleNotFoundError``
(see `this blog
post `__).
You will also need to add a middleware class to listen in on responses:
.. code-block:: python
MIDDLEWARE = [
...,
"corsheaders.middleware.CorsMiddleware",
"django.middleware.common.CommonMiddleware",
...,
]
``CorsMiddleware`` should be placed as high as possible, especially before any
middleware that can generate responses such as Django's ``CommonMiddleware`` or
Whitenoise's ``WhiteNoiseMiddleware``. If it is not before, it will not be able
to add the CORS headers to these responses.
About
-----
**django-cors-headers** was created in January 2013 by Otto Yiu. It went
unmaintained from August 2015 and was forked in January 2016 to the package
`django-cors-middleware `_
by Laville Augustin at Zeste de Savoir.
In September 2016, Adam Johnson, Ed Morley, and others gained maintenance
responsibility for **django-cors-headers**
(`Issue 110 `__)
from Otto Yiu.
Basically all of the changes in the forked **django-cors-middleware** were
merged back, or re-implemented in a different way, so it should be possible to
switch back. If there's a feature that hasn't been merged, please open an issue
about it.
**django-cors-headers** has had `40+ contributors
`__
in its time; thanks to every one of them.
Configuration
-------------
Configure the middleware's behaviour in your Django settings. You must set at
least one of three following settings:
* ``CORS_ALLOWED_ORIGINS``
* ``CORS_ALLOWED_ORIGIN_REGEXES``
* ``CORS_ALLOW_ALL_ORIGINS``
``CORS_ALLOWED_ORIGINS: Sequence[str]``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A list of origins that are authorized to make cross-site HTTP requests.
The origins in this setting will be allowed, and the requesting origin will be echoed back to the client in the |access-control-allow-origin header|__.
Defaults to ``[]``.
.. |access-control-allow-origin header| replace:: ``access-control-allow-origin`` header
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
An Origin is defined by `the CORS RFC Section 3.2 `_ as a URI scheme + hostname + port, or one of the special values ``'null'`` or ``'file://'``.
Default ports (HTTPS = 443, HTTP = 80) are optional.
The special value ``null`` is sent by the browser
## Recent releases
| Version | Date | Urgency | Changes |
| --- | --- | --- | --- |
| `main@2026-06-01` | 2026-06-01 | High | Latest activity on main branch |
| `4.9.0` | 2026-04-21 | Low | Imported from PyPI (4.9.0) |
| `4.8.0` | 2025-09-08 | Low | Tag 4.8.0 |
| `4.7.0` | 2025-02-06 | Low | Tag 4.7.0 |
| `4.6.0` | 2024-10-29 | Low | Tag 4.6.0 |
| `4.5.0` | 2024-10-12 | Low | Tag 4.5.0 |
| `4.4.0` | 2024-06-19 | Low | Tag 4.4.0 |
| `4.3.1` | 2023-11-14 | Low | Tag 4.3.1 |
| `4.3.0` | 2023-10-11 | Low | Tag 4.3.0 |
| `4.2.0` | 2023-07-10 | Low | Tag 4.2.0 |
## Citation
- HTML: https://www.freshcrate.ai/projects/django-cors-headers
- Markdown: https://www.freshcrate.ai/projects/django-cors-headers.md
- Dependencies JSON: https://www.freshcrate.ai/api/projects/django-cors-headers/deps
_Generated by freshcrate.ai. Indexes pypi releases for AI-agent ecosystem packages._