Skip to content

Fix CORS middleware to handle Authorization header #3133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
veeceey wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix CORS middleware to handle Authorization header #3133

veeceey wants to merge 1 commit into from

Conversation

@veeceey
Copy link

@veeceey veeceey commented Feb 8, 2026

Summary

Background

When sending a CORS request with credentials (either cookies or Authorization header), the wildcard origin (*) is rejected by the browser according to the CORS specification. The middleware was correctly handling this for cookies, but not for Authorization headers.

Since token-based authentication (Bearer tokens) is widely used in modern APIs, the Authorization header should be treated the same as cookies when determining CORS behavior.

Changes

  1. Code: Added check for authorization header alongside the existing cookie check in starlette/middleware/cors.py
  2. Tests: Added comprehensive test coverage for Authorization header behavior:
    • Test that Authorization header triggers explicit origin in response (like cookies do)
    • Test that Vary header is properly set with Authorization header
    • Test credentialed requests return specific origin

Testing

All existing tests pass, and new tests verify the Authorization header behavior:

$ pytest tests/middleware/test_cors.py -xvs
17 passed in 0.09s

CORS Specification Compliance

According to the CORS spec, when credentials are present in a request, the Access-Control-Allow-Origin response header cannot be * and must specify the exact origin. This applies to both:

  • Cookie headers (already implemented)
  • Authorization headers (now implemented)

Fixes #1832

@veeceey
Fix CORS middleware to handle Authorization header
4022baa 
Fixes Kludex#1832

The CORSMiddleware now checks for Authorization headers in addition to
cookies when determining whether to return a specific origin instead of
wildcard. This is important because token-based authentication (Bearer
tokens) is widely used and should be treated the same as cookie-based
authentication for CORS compliance.

According to the CORS specification, when credentials are included in a
request (either cookies or Authorization header), the server must respond
with the specific origin instead of "*".

Changes:
- Added check for Authorization header in addition to cookie check
- Updated tests to verify Authorization header is handled correctly
- Added test cases for Vary header with Authorization header
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CORSMiddleware does not provide explicit origin although Authorization header is present

1 participant

@veeceey