Nexios

Appearance

CORS in Nexios

Got it! I'll go through each CORS configuration setting in Nexios, explaining what it does and how it impacts requests.

Basic CORS Configuration in Nexios

Before diving into individual settings, here's a simple CORS setup using CorsConfig:

python
from nexios import NexiosApp
from nexios.middleware.cors import CorsConfig
from nexios.middleware.cors import CORSMiddleware

cors_config = CorsConfig(
    allow_origins=["https://example.com"],
    allow_methods=["GET", "POST"],
    allow_headers=["Authorization", "X-Requested-With"],
    allow_credentials=True,
    max_age=600,
    debug=True
)
app = NexiosApp()
app.add_middleware(CORSMiddleware(config=cors_config))
py
from nexios import NexiosApp, MakeConfig
from nexios.middleware.cors import CorsConfig
from nexios.middleware.cors import CORSMiddleware

config = MakeConfig(
    cors = CorsConfig(
    allow_origins=["https://example.com"],
    allow_methods=["GET", "POST"],
    allow_headers=["Authorization", "X-Requested-With"],
    allow_credentials=True,
    max_age=600,
    debug=True
)
)
app = NexiosApp(config = config)
app.add_middleware(CORSMiddleware())

we can break it down further:

allow_origins

  • Purpose: Specifies which domains can access the API.
  • Example:
python
# Using CorsConfig with recommended approach
cors_config = CorsConfig(
    allow_origins=["https://example.com", "https://another-site.com"]
)
app.add_middleware(CORSMiddleware(config=cors_config))
  • Special cases:
    • Use ["*"] to allow requests from any origin (not safe if credentials are enabled).
    • If an origin is not listed here, the request will be blocked.

blacklist_origins

  • Purpose: Specifies which origins should beblocked, even if they match allow_origins.
  • Example:
python
cors_config = CorsConfig(
        blacklist_origins=["https://bad-actor.com"]
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Use case: If you allow all origins (["*"]), but want to exclude specific ones.

allow_methods

  • Purpose: Defines which HTTP methods (GET, POST, etc.) are allowed in cross-origin requests.
  • Example:
python
cors_config = CorsConfig(
    allow_methods=["GET", "POST", "PUT"]
)
app.add_middleware(CORSMiddleware(config=cors_config))
  • Default: All methods (["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]) are allowed.

allow_headers

  • Purpose: Specifies which request headers are permitted in cross-origin requests.
  • Example:
python
cors_config = CorsConfig(
        allow_headers=["Authorization", "X-Custom-Header"]
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Default: Basic headers like Accept, Content-Type, etc., are always allowed.

blacklist_headers

  • Purpose: Defines headers that shouldnot be allowed in requests.
  • Example:
python
cors_config = CorsConfig(
    blacklist_headers=["X-Disallowed-Header"]
)
app.add_middleware(CORSMiddleware(config=cors_config))
  • Use case: If you allow most headers but want to restrict specific ones.

allow_credentials

  • Purpose: Determines whether credentials (cookies, authorization headers) are allowed in requests.
  • Example:
python
cors_config = CorsConfig(
        allow_credentials=True
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Important:
    • If True, the browser allows requests with credentials (e.g., session cookies).
    • If True, allow_origins cannot be "*" (security restriction).
    • If False, credentials are blocked.

allow_origin_regex

  • Purpose: Uses a regex pattern to match allowed origins dynamically.
  • Example:
python
cors_config = CorsConfig(
        allow_origin_regex=r"https://.*\.trusted-site\.com"
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Use case: When you want to allow multiple subdomains without listing them individually.

👁️ expose_headers

  • Purpose: Specifies which response headers the client is allowed to access.
  • Example:
python
cors_config = CorsConfig(
        expose_headers=["X-Response-Time"]
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Default: Only basic headers are exposed unless configured.

⏱️ max_age

  • Purpose: Defines how long the preflight (OPTIONS) response can be cached.
  • Example:
python
cors_config = CorsConfig(
        max_age=600  # Cache for 10 minutes
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Impact: Reduces unnecessary preflight requests for frequent API calls.

strict_origin_checking

  • Purpose: If enabled, requestsmust include an Origin header.
  • Example:
python
cors_config = CorsConfig(
        strict_origin_checking=True
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Use case: When you want to strictly enforce CORS checks, especially for security.

debug

  • Purpose: Enables logging to troubleshoot CORS issues.
  • Example:
python
cors_config = CorsConfig(
        debug=True
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Impact:
    • Prints logs when a request is blocked due to CORS.
    • Useful for debugging in development.

custom_error_status & custom_error_messages

  • Purpose: Allows custom error handling for CORS failures.
  • Example:
python
cors_config = CorsConfig(
        custom_error_status=403,
        custom_error_messages={
            "disallowed_origin": "This origin is not allowed.",
            "missing_origin": "The request is missing an origin."
        }
    )
app.add_middleware(CORSMiddleware(config=cors_config))
  • Use case: When you want meaningful error messages instead of generic CORS errors.