FastAPI Interview
FastAPI Basics FastAPI Uvicorn FastAPI Routing FastAPI Pydantic Models FastAPI Automatic API Documentation FastAPI Handling Request Data FastAPI SQLAlchemy ORM FastAPI Tortoise ORM FastAPI Dependency Injection FastAPI Response Models FastAPI Error Handling FastAPI OAuth2 FastAPI JWT (Json Web Tokens) FastAPI RBAC FastAPI Background Tasks FastAPI Middleware FastAPI Handling File Uploads FastAPI Async Programming FastAPI WebSockets FastAPI Testing FastAPI Security FastAPI Extensions FastAPI CORS FastAPI Deployment FastAPI Optimization FastAPI GraphQL FastAPI Task Queues And Celery FastAPI Custom CLI Commands FastAPI Server-Sent Events

FastAPI Interview

FastAPI Basics FastAPI Uvicorn FastAPI Routing FastAPI Pydantic Models FastAPI Automatic API Documentation FastAPI Handling Request Data FastAPI SQLAlchemy ORM FastAPI Tortoise ORM FastAPI Dependency Injection FastAPI Response Models FastAPI Error Handling FastAPI OAuth2 FastAPI JWT (Json Web Tokens) FastAPI RBAC FastAPI Background Tasks FastAPI Middleware FastAPI Handling File Uploads FastAPI Async Programming FastAPI WebSockets FastAPI Testing FastAPI Security FastAPI Extensions FastAPI CORS FastAPI Deployment FastAPI Optimization FastAPI GraphQL FastAPI Task Queues And Celery FastAPI Custom CLI Commands FastAPI Server-Sent Events

FastAPI CORS

What is CORS in FastAPI?

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the web page. FastAPI provides built-in support for handling CORS through the CORSMiddleware. This allows you to control which origins (domains) can access your API and what methods and headers they can use.

Why do you need CORS in FastAPI?

CORS is needed when your FastAPI backend is hosted on a different domain, port, or protocol than the frontend (e.g., frontend on http://localhost:3000 and backend on http://localhost:8000). Without enabling CORS, browsers will block cross-origin requests by default, leading to errors when the frontend tries to access resources from the backend.

How do you enable CORS in FastAPI?

To enable CORS in FastAPI, you use the CORSMiddleware provided by FastAPI. You can configure it to allow specific origins, HTTP methods, headers, and whether to allow credentials (e.g., cookies).

Example of enabling CORS in FastAPI:

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

origins = [
    "http://localhost",
    "http://localhost:3000",
    "https://your-frontend-domain.com"
]

app.add_middleware(
    CORSMiddleware,
    allow_origins=origins,  # List of origins that are allowed to access the API
    allow_credentials=True,  # Allow credentials like cookies
    allow_methods=["*"],  # Allow all HTTP methods (GET, POST, etc.)
    allow_headers=["*"],  # Allow all headers
)

In this example, CORS is enabled for specific origins, and all HTTP methods and headers are allowed. Credentials (e.g., cookies) are also permitted for cross-origin requests.

What is the allow_origins parameter in FastAPI CORS?

The allow_origins parameter in FastAPI CORS configuration defines which origins (domains) are allowed to access the API. You can specify a list of allowed origins, and only requests coming from those origins will be accepted by the browser. If you set allow_origins to ["*"], all domains will be allowed to access the API.

Example of using allow_origins:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["http://localhost", "https://example.com"]
)

In this example, only requests from http://localhost and https://example.com are allowed to access the API.

What is the allow_methods parameter in FastAPI CORS?

The allow_methods parameter in FastAPI CORS configuration specifies which HTTP methods are allowed for cross-origin requests. You can specify a list of allowed methods, such as ["GET", "POST"]. To allow all methods, you can use ["*"].

Example of using allow_methods:

app.add_middleware(
    CORSMiddleware,
    allow_methods=["GET", "POST"]
)

In this example, only GET and POST requests are allowed from cross-origin clients.

What is the allow_headers parameter in FastAPI CORS?

The allow_headers parameter specifies which HTTP headers can be used when making cross-origin requests. You can allow specific headers like ["Authorization", "Content-Type"] or use ["*"] to allow all headers.

Example of using allow_headers:

app.add_middleware(
    CORSMiddleware,
    allow_headers=["Authorization", "Content-Type"]
)

In this example, only requests with the Authorization and Content-Type headers will be accepted from cross-origin clients.

What is the allow_credentials parameter in FastAPI CORS?

The allow_credentials parameter in FastAPI CORS configuration controls whether cross-origin requests can include credentials such as cookies, authorization headers, or TLS client certificates. If set to True, the API will allow cross-origin requests to send cookies or other credentials.

Example of using allow_credentials:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["http://localhost:3000"],
    allow_credentials=True  # Allows cookies to be included in cross-origin requests
)

In this example, cookies or other credentials will be allowed in requests coming from http://localhost:3000.

How do you handle CORS preflight requests in FastAPI?

Browsers send a preflight OPTIONS request before certain cross-origin requests, such as those with custom headers or methods other than GET or POST. FastAPI's CORSMiddleware automatically handles these preflight requests by responding with the appropriate CORS headers.

For most use cases, you don't need to manually handle the preflight OPTIONS requests as the middleware takes care of it.

How do you allow all origins for CORS in FastAPI?

To allow all origins (domains) to access your API, you can set the allow_origins parameter to ["*"]. This will permit any domain to make requests to your API.

Example of allowing all origins:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_methods=["*"],
    allow_headers=["*"]
)

In this example, all origins, methods, and headers are allowed, making the API accessible from any domain.

How do you configure CORS for multiple environments in FastAPI?

To configure CORS for multiple environments (e.g., development, production), you can use environment variables to specify the allowed origins for each environment. For example, you might allow all origins in development but restrict them in production.

Example of configuring CORS for different environments:

import os
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

if os.getenv("ENV") == "development":
    origins = ["*"]  # Allow all origins in development
else:
    origins = ["https://your-production-domain.com"]  # Restrict origins in production

app.add_middleware(
    CORSMiddleware,
    allow_origins=origins,
    allow_methods=["*"],
    allow_headers=["*"],
)

In this example, CORS is configured differently for development and production environments, allowing all origins during development but restricting access to a specific domain in production.

How do you test CORS configuration in FastAPI?

To test CORS configuration, you can use browser developer tools or tools like curl or Postman. Make a request from a different origin (e.g., from a frontend hosted on a different port or domain) and check whether the API returns the appropriate CORS headers like Access-Control-Allow-Origin.

Example of testing with curl:

curl -H "Origin: http://localhost:3000" -X GET http://localhost:8000/data/ -v

In this example, the Origin header is used to simulate a cross-origin request. You can inspect the response headers to check if the correct CORS headers are included.

Ads