Flask-CORS is a simple extension to Flask allowing you to support cross origin resource sharing (CORS) using a simple decorator.

Build Status


Install the extension with using pip, or easy_install.

$ pip install flask-cors


This extension exposes a simple decorator to decorate flask routes with. Simply add @cross_origin() below a call to Flask’s @app.route(..) incanation to accept the default options and allow CORS on a given route.

Simple Usage

@cross_origin() # allow all origins all methods.
def helloWorld():
  return "Hello, cross-origin-world!"


flask_cors.cross_origin(origins='*', methods=['GET', 'HEAD', 'POST', 'OPTIONS', 'PUT'], headers=None, supports_credentials=False, max_age=None, send_wildcard=True, always_send=True, automatic_options=False)

This function is the decorator which is used to wrap a Flask route with. In the simplest case, simply use the default parameters to allow all origins in what is the most permissive configuration. If this method modifies state or performs authentication which may be brute-forced, you should add some degree of perfection, for example Cross Site Forgery Request protection.

  • origins (list or string) – The origin, or list of origins which are to be allowed, and injected into the returned Access-Control-Allow-Origin header
  • methods (list) – The methods to be allowed and injected Access-Control-Allow-Methods.
  • headers (list or string) – The list of allowed headers to be injected in Access-Control-Allow-Headers.
  • supports_credentials (bool) – TODO. Currently unusued, May be implemented in the future.
  • max_age (timedelta, integer, string or None) – The maximum time for which this CORS request may be cached. This value is set as the Access-Control-Max-Age header.
  • send_wildcard (bool) – If True, and the origins parameter is *, a wildcard Access-Control-Allow-Origin header is sent, rather than echoing the request’s Origin header.
  • always_send (bool) – If True, CORS headers are sent even if there is no Origin in the request’s headers.
  • automatic_options (bool) – If True, Flask’s automatic_options is enabled, otherwise default Flask-Cors behavior is used.