High severity HTTP 403 beginner · Fix: 2-5 min

CORSError

starlette.middleware.cors.CORSError

What this error means

FastAPI's CORS middleware blocks cross-origin requests when the server is not configured to allow the requesting origin, causing browser policy errors.

Stack trace

traceback

starlette.middleware.cors.CORSError: CORS policy does not allow access from the specified Origin
  File "/usr/local/lib/python3.9/site-packages/starlette/middleware/cors.py", line 123, in __call__
    raise CORSError("CORS policy does not allow access from the specified Origin")
  File "/usr/local/lib/python3.9/site-packages/starlette/middleware/cors.py", line 101, in __call__
    if not self.is_allowed_origin(origin):
  File "/usr/local/lib/python3.9/site-packages/starlette/middleware/cors.py", line 75, in is_allowed_origin
    return origin in self.allow_origins or "*" in self.allow_origins

QUICK FIX

Configure FastAPI's CORSMiddleware with correct allow_origins including your client URL and ensure allow_credentials matches your needs.

Why it happens

FastAPI uses Starlette's CORS middleware to enforce cross-origin resource sharing policies. If the incoming request's Origin header is not in the allowed origins list, the middleware blocks the request, triggering a CORS error in the browser. This happens when the server is not configured to accept requests from the client's domain or when the allow_origins setting is missing or incorrect.

Detection

Monitor server logs for CORSError exceptions or HTTP 403 responses on OPTIONS or actual requests; also detect browser console errors indicating CORS policy blocks referencing the Origin header.

Causes & fixes

Missing or empty allow_origins list in FastAPI CORS middleware configuration

✓ Fix

Set allow_origins to include the client domains or use ['*'] for development to allow all origins.

Using allow_origins=['*'] but also setting allow_credentials=True, which is disallowed by CORS spec

✓ Fix

Either set allow_origins to specific domains or set allow_credentials=False to comply with CORS rules.

Client sends requests from an origin not listed in allow_origins

✓ Fix

Add the client's exact origin URL (including scheme and port) to the allow_origins list.

CORS middleware not added or added after routes in FastAPI app

✓ Fix

Add CORSMiddleware as early middleware in the app before defining routes.

Code: broken vs fixed

Broken - triggers the error

python

from fastapi import FastAPI
from starlette.middleware.cors import CORSMiddleware

app = FastAPI()

# Missing or empty allow_origins causes CORS error
app.add_middleware(
    CORSMiddleware,
    allow_origins=[],  # <-- causes CORS error
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

@app.get("/")
def read_root():
    return {"message": "Hello World"}

Fixed - works correctly

python

import os
from fastapi import FastAPI
from starlette.middleware.cors import CORSMiddleware

app = FastAPI()

# Fixed: allow_origins includes client URL, allow_credentials consistent
app.add_middleware(
    CORSMiddleware,
    allow_origins=[os.environ.get("CLIENT_ORIGIN", "http://localhost:3000")],  # Added client origin
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

@app.get("/")
def read_root():
    return {"message": "Hello World"}

print("CORS middleware configured with allowed origins")

Added allow_origins with the client origin URL and ensured allow_credentials is compatible, fixing the CORS policy blocking the request.

⚠

Workaround

Temporarily set allow_origins=['*'] and allow_credentials=False in CORSMiddleware to bypass CORS restrictions during development.

✓

Prevention

Always explicitly configure CORSMiddleware with the exact client origins your frontend uses and keep allow_credentials consistent with allow_origins to avoid browser CORS blocks.

Python 3.9+ · fastapi >=0.60.0 · tested on 0.95.0

Verified 2026-04

Verify ↗

Community Notes

No notes yetBe the first to share a version-specific fix or tip.