Enabling CORS in Django

By default, it is not allowed for a domain to access an API hosted in another domain. When a domain (abc.com) wants to access a resource in another domain (xyz.com), it is called Cross Origin request, which is disabled by default for security reasons.

When we want to allow our REST API hosted in our Django application to be accessed from other applications hosted on other server, we must enable CORS (Cross-Origin Resource Sharing).

Click here for more information about CORS.

In this blog, I explain steps to be taken to enable CORS in Django application.

Steps

Take the following steps to enable CORS for Rest API hosted in Django application. I assume you already have REST API developed and hosted. I just focus on how to allow resources to be accessed from cross domain.

Install django-cors-headers using PIP as follows:
```
pip install django-cors-headers 
```
Add corsheaders to installed applications in settings.py:
```
INSTALLED_APPS = [
    ...
    'corsheaders',
]
```

Add corsheaders.middleware.CorsMiddleware to middleware section in settings.py:

MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    ...

]

Allow access to all domains by setting the following variable to TRUE in settings.py:
```
CORS_ORIGIN_ALLOW_ALL = True
```
Alternatively, you can specify which domains must be given access by creating following variables in settings.py:
```
CORS_ORIGIN_ALLOW_ALL = False
CORS_ORIGIN_WHITELIST = (
       'http://localhost:4200',
)
```

That's all you have to do to access resources of django application from other applications hosted on other servers.

For further reference, use the following resources:

cors-headers project in github.

Cross-Origin Resource Sharing documentation by Mozilla.