![[The AI Show Episode 148]: Microsoft’s Quiet AI Layoffs, US Copyright Office’s Bombshell AI Guidance, 2025 State of Marketing AI Report, and OpenAI Codex](https://www.marketingaiinstitute.com/hubfs/ep%20148%20cover%20%281%29.png)
![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[DEALS] Babbel Language Learning: Lifetime Subscription (All Languages) (71% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Borderlands 4 Boss Says 'A Real Fan' Will Pay $80 For Games [Update]](https://i.kinja-img.com/image/upload/c_fill,h_675,pg_1,q_80,w_1200/086e4654c281e40d12b833591d2c6fdc.jpg)
_Constantine_Soutiaguin-Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Nomad levels up its best-selling charger with new 100W slim adapter [Hands-on]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/100w-FI.jpg.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Google just showed off Android Auto’s upcoming light theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/android-auto-light-theme-documentation-2.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Jony Ive and OpenAI Working on AI Device With No Screen [Kuo]](https://www.iclarified.com/images/news/97401/97401/97401-640.jpg)
![Anthropic Unveils Claude 4 Models That Could Power Apple Xcode AI Assistant [Video]](https://www.iclarified.com/images/news/97407/97407/97407-640.jpg)
![Apple Leads Global Wireless Earbuds Market in Q1 2025 [Chart]](https://www.iclarified.com/images/news/97394/97394/97394-640.jpg)
Enabling CORS in Flask
When you’re building a full-stack app with a separate frontend and a Flask backend, the browser’s Same-Origin Policy will block your API calls unless you explicitly allow them. Cross-Origin Resource Sharing (CORS) is the protocol that lets you opt-in. In this guide we will cover two common ways to get it done in Flask. Adding CORS headers manually Flask lets you set response headers directly, so you can choose which endpoints get which CORS rules. Basic allow-origin If your frontend lives at https://myapp.com, you can allow it like this: from flask import Flask, request, jsonify, make_response app = Flask(__name__) @app.route("/api/hello") def hello(): resp = make_response(jsonify({"msg": "hi"})) # allow just one origin resp.headers["Access-Control-Allow-Origin"] = "https://myapp.com" return resp Handling the pre-flight (OPTIONS) request Whenever the browser thinks the real call might be “unsafe” (custom headers, non-GET method, etc.) it sends an OPTIONS probe first. You have to answer it with the correct headers: @app.route("/api/hello", methods=["OPTIONS", "GET", "POST"]) def hello(): if request.method == "OPTIONS": resp = make_response() resp.headers.update({ "Access-Control-Allow-Origin": "https://myapp.com", "Access-Control-Allow-Methods": "GET, POST", "Access-Control-Allow-Headers": "Content-Type, X-Custom", "Access-Control-Allow-Credentials": "true", # only if you need cookies / auth }) resp.status_code = 204 return resp # Normal GET/POST handler if request.method == "GET": resp = make_response(jsonify({"msg": "hi"})) elif request.method == "POST": data = request.get_json() resp = make_response(jsonify({"data": data})) # allow CORS for actual response resp.headers.update({ "Access-Control-Allow-Origin": "https://myapp.com", "Access-Control-Allow-Credentials": "true" }) return resp Manual is great when you need per-endpoint logic (e.g., allow some origins only for certain users), but it gets repetitive fast. Using the flask-cors library The flask-cors library will handle the header logic for you. pip install flask-cors Global configuration (one-liner) from flask import Flask from flask_cors import CORS app = Flask(__name__) CORS(app, origins=["https://myapp.com"], supports_credentials=True) Now every route responds with the right CORS headers and the pre-flight dance “just works.” Fine-grained control You can apply it to a specific blueprint or route instead: from flask_cors import cross_origin @app.route("/public") @cross_origin() # allow all origins def public_stuff(): ... @app.route("/private") @cross_origin(origins="https://myapp.com", methods=["GET", "POST"], expose_headers=["X-Total-Count"]) def private_stuff(): ... Key options you’ll use most: Option What it does origins Accept single origin, list, or "*" methods Restrict allowed verbs allow_headers Extra request headers you expect expose_headers Response headers the browser can read supports_credentials true → cookies/auth tokens allowed Conclusion To enable CORS in your Flask project, either manually add CORS headers to specific endpoints, or use a third-party library like flask-cors to manage CORS more easily. Either way, both options will allow you to build a robust full-stack application.
When you’re building a full-stack app with a separate frontend and a Flask backend, the browser’s Same-Origin Policy will block your API calls unless you explicitly allow them. Cross-Origin Resource Sharing (CORS) is the protocol that lets you opt-in. In this guide we will cover two common ways to get it done in Flask.
Adding CORS headers manually
Flask lets you set response headers directly, so you can choose which endpoints get which CORS rules.
Basic allow-origin
If your frontend lives at https://myapp.com, you can allow it like this:
from flask import Flask, request, jsonify, make_response
app = Flask(__name__)
@app.route("/api/hello")
def hello():
resp = make_response(jsonify({"msg": "hi"}))
# allow just one origin
resp.headers["Access-Control-Allow-Origin"] = "https://myapp.com"
return resp
Handling the pre-flight (OPTIONS) request
Whenever the browser thinks the real call might be “unsafe” (custom headers, non-GET method, etc.) it sends an OPTIONS probe first. You have to answer it with the correct headers:
@app.route("/api/hello", methods=["OPTIONS", "GET", "POST"])
def hello():
if request.method == "OPTIONS":
resp = make_response()
resp.headers.update({
"Access-Control-Allow-Origin": "https://myapp.com",
"Access-Control-Allow-Methods": "GET, POST",
"Access-Control-Allow-Headers": "Content-Type, X-Custom",
"Access-Control-Allow-Credentials": "true", # only if you need cookies / auth
})
resp.status_code = 204
return resp
# Normal GET/POST handler
if request.method == "GET":
resp = make_response(jsonify({"msg": "hi"}))
elif request.method == "POST":
data = request.get_json()
resp = make_response(jsonify({"data": data}))
# allow CORS for actual response
resp.headers.update({
"Access-Control-Allow-Origin": "https://myapp.com",
"Access-Control-Allow-Credentials": "true"
})
return resp
Manual is great when you need per-endpoint logic (e.g., allow some origins only for certain users), but it gets repetitive fast.
Using the flask-cors library
The flask-cors library will handle the header logic for you.
pip install flask-cors
Global configuration (one-liner)
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
CORS(app, origins=["https://myapp.com"], supports_credentials=True)
Now every route responds with the right CORS headers and the pre-flight dance “just works.”
Fine-grained control
You can apply it to a specific blueprint or route instead:
from flask_cors import cross_origin
@app.route("/public")
@cross_origin() # allow all origins
def public_stuff():
...
@app.route("/private")
@cross_origin(origins="https://myapp.com",
methods=["GET", "POST"],
expose_headers=["X-Total-Count"])
def private_stuff():
...
Key options you’ll use most:
| Option | What it does |
|---|---|
origins |
Accept single origin, list, or "*" |
methods |
Restrict allowed verbs |
allow_headers |
Extra request headers you expect |
expose_headers |
Response headers the browser can read |
supports_credentials |
true → cookies/auth tokens allowed |
Conclusion
To enable CORS in your Flask project, either manually add CORS headers to specific endpoints, or use a third-party library like flask-cors to manage CORS more easily. Either way, both options will allow you to build a robust full-stack application.
