CORS — Aquilia Documentation
Comprehensive guide and documentation for CORS in the Aquilia framework. View API reference, examples, and implementation patterns.
MIDDLEWARE / CORS CORS Middleware The CORSMiddleware provides full RFC 6454 and Fetch Standard compliant Cross-Origin Resource Sharing. It is optimized with cached origin matching, distinct preflight routing, and vary-caching security headers. LRU Cached Origin Matching To avoid evaluating complex regular expressions or glob matches on every incoming request, CORSMiddleware delegates matching to a specialized _OriginMatcher. This matcher holds an LRU (Least Recently Used) cache with a maximum capacity of 512 entries, keeping origin verification down to O(1) for repeat clients. Supports glob wildcards (e.g. "https://*.domain.com") and pre-compiled regex objects for matching complex subdomains. Configuration from aquilia.middleware_ext import CORSMiddleware import re server.middleware( CORSMiddleware( allow_origins=[ "https://app.example.com", "https://*.internal.net", # Glob subdomain wildcard re.compile(r"^https://[a-z0-9-]+\\.prod\\.com$") # Regex object ], allow_methods=["GET", "POST", "PUT", "DELETE"], allow_headers=["Authorization", "Content-Type"], allow_credentials=True, max_age=3600 ) ) Per-Route Bypassing If a specific endpoint requires custom or dynamic cross-origin logic, you can instruct CORSMiddleware to bypass the request by setting request.state["cors_skip"] = True. Options Reference Option Type Default Description allow_origins list[str | Pattern] None Allowed origins. Supports exact matches, globs, or regex. allow_methods list[str] None List of allowed HTTP methods (e.g. GET, POST). allow_headers list[str] None Allowed request headers during preflight. expose_headers list[str] None Headers safe to expose to browser clients. allow_credentials bool False Allows cookies and Authorization headers to pass. max_age int 600 Preflight OPTIONS response cache duration (seconds). Static Files Rate Limiting )
Go to Homepage