Masonite Documentation
v4.0
v4.0
  • Introduction and Installation
  • Prologue
    • Creating A Blog Tutorial
    • Release Cycle
    • Contributing Guide
    • How To Contribute
  • The Basics
    • Routing
    • Controllers
    • Middleware
    • Response
    • Request
    • Static Files
    • Views
    • Environments
    • Configuration
    • Error Handling
  • Features
    • API Development
    • Authentication
    • Authorization
    • Broadcasting
    • Caching
    • Compiling Assets
    • Commands
    • CSRF Protection
    • Events
    • Facades
    • Filesystem and Uploading
    • Hash ID's
    • Helpers
    • Mail
    • Notifications
    • Package Development
    • Queues and Jobs
    • Rate Limiting
    • Sessions
    • Task Scheduling
    • Tinker Shell (REPL)
    • Validation
  • Architecture
    • Service Providers
    • Service Container
  • Security
    • CORS
    • Hashing
  • Masonite ORM
    • To Masonite ORM Docs
  • Testing
    • Getting Started
    • HTTP Tests
    • Database Tests
    • Commands Tests
    • Console Tests
    • Mocking
    • Extending
  • Official Packages
    • Masonite Debugbar
  • How-to Guides
    • Handling AJAX requests with expired authentication
    • Build Email Verification from Scratch With Masonite Framework and JSON Web Tokens
    • Deploying a Masonite Application to Heroku
    • How To Deploy Masonite to PythonAnywhere
    • How-To: Use RabbitMQ with Masonite 2.0 queues
    • How To Use The Repository Pattern with Masonite
    • Making Masonite and Laravel Mix work together
  • What's New
    • Masonite 1.3
    • Masonite 1.4
    • Masonite 1.5
    • Masonite 1.6
    • Masonite 2.0
    • Masonite 2.1
    • Masonite 2.2
    • Masonite 2.3
    • Masonite 3.0
  • Upgrade Guide
    • Masonite 1.3 to 1.4
    • Masonite 1.4 to 1.5
    • Masonite 1.5 to 1.6
    • Masonite 1.6 to 2.0
    • Masonite 2.0 to 2.1
    • Masonite 2.1 to 2.2
    • Masonite 2.2 to 2.3
    • Masonite 2.3 to 3.0
    • Masonite 3.0 to 4.0
Powered by GitBook
On this page
  • Getting Started
  • Configuration
  • Paths
  • Allowed Methods
  • Allowed Origins
  • Allowed Headers
  • Exposed Headers
  • Max Age
  • Supports Credentials
Edit on GitHub
Export as PDF
  1. Security

CORS

PreviousService ContainerNextHashing

Last updated 2 years ago

CORS is sometimes important to activate in your application. CORS allows you to have a stronger layer of security over your application by specifying specific CORS headers in your responses. This is done through "preflight" requests.

These "preflight" requests are OPTIONS requests that are sent at the same time as other non safe requests (POST, PUT, DELETE) and specifically designed to verify the CORS headers before allowing the other request to go through.

To learn more about CORS please read .

You can enable CORS protection by simply adding the CorsMiddleware into you middleware stack.

Getting Started

To enable CORS in Masonite, you just need to add the CorsMiddleware in your middleware stack to your http_middleware key in your Kernel.py class.

It is best to put the CORS middleware as the first middleware to prevent possible errors.

from masonite.middleware import CorsMiddleware

#..
class Kernel:

    http_middleware = [
        CorsMiddleware,
        EncryptCookies
    ]
    #..

Your application will now handle CORS requests to successfully go through.

Configuration

All CORS settings are configured in the dedicated security configuration file config/security.py. The default configuration options are:

CORS = {
    "paths": ["api/*"],
    "allowed_methods": ["*"],
    "allowed_origins": ["*"],
    "allowed_headers": ["*"],
    "exposed_headers": [],
    "max_age": None,
    "supports_credentials": False,
}

Paths

You can define paths for which you want CORS protection to be enabled. Multiple paths can be defined in the list and wildcards (*) can be used to define the paths.

    "paths": ["api/*", "auth/"]

Here all requests made to auth/ and to all API routes will be protected with CORS.

Allowed Methods

The default is to protect all HTTP methods but a list of methods can be specified instead. This will set the Access-Control-Allow-Methods header in the response.

For example CORS can be enabled for sensitive requests:

    "allowed_methods": ["POST", "PUT", "PATCH"]

Allowed Origins

The default is to allow all origins to access a resource on the server. Instead you can define a list of origins allowed to access the resources defined above (paths). Wildcards (*) can be used. This will set the Access-Control-Allow-Origin header in the response.

    "allowed_origins": ["*.example.com"]

Here blog.example.com and forum.example.com will e.g. be authorized to make requests to the application paths defined above.

Allowed Headers

The default is to authorized all request headers during a CORS request, but you can define a list of headers confirming that these are permitted headers to be used with the actual request. This will set the Access-Control-Allow-Headers header in the response.

    "allowed_headers": ["X-Test-1", "X-Test-2"]

Exposed Headers

The default is an empty list but you can define which headers will be accessible to the broswser e.g. with Javascript (with getResponseHeader()). This will set the Access-Control-Expose-Headers header in the response.

    "exposed_headers": ["X-Client-Test-1"]

Max Age

This will set the Access-Control-Max-Age header in the response and will indicates how long the results of a preflight request can be cached. The default is None meaning it preflight request results will never be cached.

You can indicate a cache duration in seconds:

    "max_age": 3600

Supports Credentials

This will set the Access-Control-Allow-Credentials and will indicate whether or not the response to the request can be exposed when the credentials flag is true. The default is False.

    "supports_credentials": True

You can read more about it .

MDN documentation
here