Fix CORS in Flask

Last updated: April 2026

Browser Console Error

Access to fetch at 'http://localhost:5000/api' from origin 'http://localhost:5173' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present.

Install flask-cors and initialize it with your app. Configure allowed origins explicitly when using credentials.

Test your Flask CORS live →

Basic fix — install and configure flask-cors

pip install flask-cors

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)

CORS(app, origins=["https://yourapp.com"], supports_credentials=True)

@app.route("/api/data")
def data():
    return {"message": "ok"}

Development + production origins

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)

CORS(app,
     origins=[
         "http://localhost:5173",  # Vite
         "http://localhost:3000",  # CRA
         "https://yourapp.com",
     ],
     supports_credentials=True,
     allow_headers=["Content-Type", "Authorization"],
     methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"]
)

Per-route CORS

from flask import Flask
from flask_cors import cross_origin

app = Flask(__name__)

@app.route("/api/public")
@cross_origin()  # allows all origins, no credentials
def public():
    return {"message": "public"}

@app.route("/api/private")
@cross_origin(origins=["https://yourapp.com"], supports_credentials=True)
def private():
    return {"message": "private"}

Wildcard origin without credentials

CORS(app)  # allows all origins, no credentials by default

⚠ Do not combine origins=["*"] with supports_credentials=True. Browsers reject wildcard origin when credentials are included. Use explicit origins instead.

Verify your CORS headers

curl -X OPTIONS http://localhost:5000/api/data \
  -H "Origin: http://localhost:5173" \
  -H "Access-Control-Request-Method: POST" \
  -v 2>&1 | grep -i "access-control"