# CORS

CORS is a browser security feature that restricts web applications from making requests to a different origin unless explicitly allowed by the server.

## Why Use CORS?

CORS is required when:

* Your frontend runs on a different origin (e.g., `localhost:3000`)
* Your API runs on another origin (e.g., `127.0.0.1:8000`)
* You want to control which clients can access your API

## Enabling CORS

You can enable CORS using the `add_cors()` method on your application:

```python
app.add_cors(
    allow_origins=["http://localhost:3000"],
    allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
    allow_headers=["Content-Type", "Authorization"],
    allow_credentials=True
)
```

## Configuration Options

### `allow_origins`

Specifies which origins are allowed to access your API.

```python
allow_origins=["http://localhost:3000"]
```

To allow all origins (development only):

```python
allow_origins=["*"]
```

### `allow_methods`

Defines which HTTP methods are allowed:

```python
allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"]
```

### `allow_headers`

Defines which headers the client is allowed to send:

```python
allow_headers=["Content-Type", "Authorization"]
```

### `allow_credentials`

Enables cookies and authentication headers:

```python
allow_credentials=True
```

{% hint style="warning" %}
When using credentials, `allow_origins` cannot be `"*"` and must be explicitly set.
{% endhint %}

## Preflight Requests

For certain requests (e.g., POST with custom headers), browsers send an `OPTIONS` request before the actual request. This is called a **preflight request**.

Slush automatically handles preflight requests and returns the required CORS headers.

## Example Flow

1. Browser sends an `OPTIONS` request
2. Slush responds with allowed methods and headers
3. Browser sends the actual request
4. Slush includes CORS headers in the response

## 🧠 Example

```python
from slush.app import Slush

app = Slush()

app.add_cors(
    allow_origins=["http://localhost:3000"],
    allow_methods=["GET", "POST", "OPTIONS"],
    allow_headers=["Content-Type"]
)

@app.route("/hello", methods=["GET"])
def hello(request):
    return {"message": "Hello from Slush"}
```

## Summary

Slush CORS support allows you to:

* Enable cross-origin API access
* Control allowed origins, methods, and headers
* Handle preflight requests automatically
* Support authenticated requests with credentials


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://slush.gitbook.io/docs/documentation/basics/cors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.