Fix CORS Error in Flask
Updated April 2026
Reading this article? Verify your fix in real-time. Test your Flask CORS config live → CORSFixer
Flask does not add CORS headers by default. Install flask-cors and apply it to your app in one line. Note: Flask is not FastAPI — the config is different.
Browser Console
Access to fetch at 'http://127.0.0.1:5000/api/data' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.Install and apply flask-cors
pip install flask-cors
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
# Apply to entire app — development
CORS(app)
# Apply to entire app — production
CORS(app, origins=["https://yourapp.com"])
@app.route("/api/data")
def get_data(): return {"status": "ok"}
Per-route CORS
from flask_cors import cross_origin
@app.route("/api/public")
@cross_origin() # allows all origins
def public(): return {"data": "public"}
@app.route("/api/private")
@cross_origin(origins="https://yourapp.com")
def private(): return {"data": "private"}
With credentials (cookies / Authorization header)
CORS(app, origins=["https://yourapp.com"], supports_credentials=True
)
# Frontend must also set:
# fetch(url, { credentials: 'include' })
Specific resources with different configs
CORS(app, resources={ r"/api/public/*": {"origins": "*"}, r"/api/private/*": { "origins": ["https://yourapp.com"], "supports_credentials": True }
})
Flask with Blueprints
from flask import Blueprint
from flask_cors import CORS
api_bp = Blueprint("api", __name__)
CORS(api_bp, origins=["https://yourapp.com"])
@api_bp.route("/data")
def data(): return {"ok": True}
app.register_blueprint(api_bp, url_prefix="/api")
Flask + Gunicorn in production
CORS headers are set by Flask, not Gunicorn. The config above applies in production. If you have Nginx in front, do not add CORS headers in both — pick one layer.
Test your Flask CORS config live → CORSFixer