Why must CorsMiddleware be first?

Django processes middleware in order. If another middleware returns a response before CorsMiddleware runs, CORS headers are never added. Place it at the top of MIDDLEWARE.

Does django-cors-headers handle OPTIONS preflight?

Yes — it intercepts OPTIONS requests and returns the correct preflight response automatically.

Can I use CORS_ALLOW_ALL_ORIGINS in production?

No. CORS_ALLOW_ALL_ORIGINS=True allows any origin to read your API responses. Use CORS_ALLOWED_ORIGINS with your specific frontend domains in production.

CORS

Fix CORS Error in Django

Updated April 2026

 Reading this article? Verify your fix in real-time. Test your Django CORS config live → CORSFixer

Django returns a response, but the browser blocks it because there is no Access-Control-Allow-Origin header. Install django-cors-headers and configure it before your other middleware.

Browser Console

Access to fetch at 'http://localhost:8000/api/data/' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Install and configure django-cors-headers

pip install django-cors-headers

# settings.py
INSTALLED_APPS = [ ... "corsheaders", ...
]

MIDDLEWARE = [ "corsheaders.middleware.CorsMiddleware",  # must be FIRST "django.middleware.common.CommonMiddleware", ...
]

# Development — allow all origins
CORS_ALLOW_ALL_ORIGINS = True

# Production — specify allowed origins
CORS_ALLOWED_ORIGINS = [ "https://yourapp.com", "https://staging.yourapp.com",
]

CorsMiddleware must appear before CommonMiddleware and any middleware that generates responses. Order matters — putting it lower in the list means some responses get returned before CORS headers are added.

If you are sending cookies or Authorization headers

# settings.py
CORS_ALLOWED_ORIGINS = ["https://yourapp.com"]
CORS_ALLOW_CREDENTIALS = True

# Also configure your session cookie for cross-site
SESSION_COOKIE_SAMESITE = "None"
SESSION_COOKIE_SECURE = True  # requires HTTPS

Django REST Framework — allow specific headers

from corsheaders.defaults import default_headers

CORS_ALLOW_HEADERS = list(default_headers) + [ "x-api-key", "x-requested-with",
]

CORS_ALLOW_METHODS = [ "DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT",
]

Allow specific URL patterns only

# Allow CORS only on /api/ routes
CORS_URLS_REGEX = r"^/api/.*$"

Django Ninja and ASGI apps

# For Django Ninja (async Django)
# django-cors-headers works identically — same settings.py config
# For raw ASGI without Django middleware stack:
from starlette.middleware.cors import CORSMiddleware

app = CORSMiddleware( app, allow_origins=["https://yourapp.com"], allow_methods=["*"], allow_headers=["*"],
)

Test the fix

# Check that CORS headers appear
curl -H "Origin: https://yourapp.com" \ -H "Access-Control-Request-Method: GET" \ -X OPTIONS \ http://localhost:8000/api/data/ -v 2>&1 | grep -i "access-control"

Test your Django CORS config live → CORSFixer