Flask-CORS

Flask extension for Cross-Origin Resource Sharing (CORS) — adds Access-Control-Allow-Origin and related CORS headers to Flask responses. Flask-CORS provides: CORS(app) for global CORS with default allow-all, CORS(app, origins=['https://app.example.com']) for origin whitelist, @cross_origin() decorator for per-route CORS configuration, and support for credentials (allow_headers, expose_headers, supports_credentials, max_age). Handles preflight OPTIONS requests automatically. Prevents browser-side CORS errors when frontend agent apps on different origins call Flask backend APIs.

Evaluated Mar 06, 2026 (0d ago) v4.x
Homepage ↗ Repo ↗ Developer Tools python flask cors security api cross-origin headers preflight
⚙ Agent Friendliness
66
/ 100
Can an agent use this?
🔒 Security
85
/ 100
Is it safe for agents?
⚡ Reliability
86
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
88
Error Messages
82
Auth Simplicity
88
Rate Limits
95

🔒 Security

TLS Enforcement
85
Auth Strength
80
Scope Granularity
82
Dep. Hygiene
88
Secret Handling
90

CORS is a security boundary — misconfigured CORS allows malicious sites to make authenticated agent API calls from victim browsers. Always restrict origins to trusted agent frontends in production. never use wildcard with credentials. Combine with HTTPS-only for agent APIs.

⚡ Reliability

Uptime/SLA
88
Version Stability
85
Breaking Changes
82
Error Recovery
90
AF Security Reliability

Best When

Your Flask agent API is called by a web frontend on a different domain — Flask-CORS adds correct CORS headers so browsers allow cross-origin agent API requests.

Avoid When

Your API is called only by server-side code, you have API Gateway managing CORS, or your frontend and API are on the same origin.

Use Cases

  • Enable CORS for agent React/Vue frontend calling Flask API — CORS(app, origins=['https://agent-ui.example.com']) allows cross-origin requests from agent web frontend
  • Allow agent mobile apps to call Flask API — CORS(app, origins='*') enables mobile agent apps on any origin to call Flask agent backend during development
  • Per-endpoint CORS for mixed agent API — @cross_origin(origins=['https://trusted-agent.com']) on specific routes while other routes remain same-origin only
  • CORS with credentials for agent session-based auth — CORS(app, supports_credentials=True, origins=['https://agent-app.com']) required when agent frontend sends cookies or Authorization headers
  • Development CORS wildcard — CORS(app) with no origin restriction during agent local development, tightened to specific origins in production

Not For

  • Server-to-server agent API calls — CORS is browser security mechanism; server-side agent code calling Flask APIs doesn't need CORS headers
  • API Gateway-managed CORS — if agent service is behind AWS API Gateway, GCP Cloud Endpoints, or NGINX, configure CORS there instead of in Flask
  • Security beyond CORS — Flask-CORS only handles CORS headers; authentication, authorization, and rate limiting require separate Flask extensions

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

CORS header library — no auth. When using supports_credentials=True, origin cannot be '*' — must specify exact allowed origins for agent frontend.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Flask-CORS is MIT licensed. Free for all use.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • supports_credentials=True requires specific origins — CORS(app, origins='*', supports_credentials=True) is security error and browsers reject it; must specify exact agent frontend origins: CORS(app, origins=['https://agent.example.com'], supports_credentials=True)
  • Wildcard in production is security risk — CORS(app) or CORS(app, origins='*') allows any origin to call agent API; only use in development; production agent APIs should whitelist specific frontend origins
  • Flask-CORS may conflict with other CORS headers — if NGINX or load balancer also adds CORS headers, duplicated headers cause browser CORS failure; configure CORS at one layer only for agent deployment
  • Preflight requests bypass Flask-Login — OPTIONS preflight requests from browser don't include credentials; @login_required on routes blocks preflight with 302 redirect; Flask-CORS handles this by responding to OPTIONS before auth check, but explicit route exclusion may be needed
  • Blueprint-level vs app-level CORS — CORS(app) applies globally; CORS(blueprint) applies to blueprint routes; mixing both can double-apply CORS headers causing browser rejection of duplicate origin headers on agent API routes
  • vary_header must be True for CDN caching — CORS(app, vary_header=True) adds Vary: Origin header so CDN caches different responses per origin; without Vary header, CDN may return cached response with wrong origin for agent multiregion deployments

Alternatives

nginx-cors-config api-gateway-cors flask-talisman-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Flask-CORS.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered