CorsHeaders Setting Options
# CORS Settings
#
# IMPORTANT: In a production environment, NEVER set CORS_ALLOW_ALL_ORIGINS = True.
# Instead, explicitly list your allowed origins.
# Option 1: Allow ALL origins (ONLY for development/testing, NOT PRODUCTION)
# CORS_ALLOW_ALL_ORIGINS = True # Unsafe for production
# Option 2: Specify allowed origins (RECOMMENDED for production)
CORS_ALLOWED_ORIGINS = [
"http://localhost:3000", # Example: Your frontend dev server
"http://127.0.0.1:8000", # Example: Your Django dev server (if frontend is served from different port)
"https://your-frontend-domain.com", # Your production frontend domain
"https://www.your-frontend-domain.com", # Your production frontend domain with www
# Add any other legitimate origins that need to access your API
]
# Or, if your frontend is on a subdomain of your backend (e.g., frontend.example.com accessing api.example.com)
# CORS_ALLOWED_ORIGIN_REGEXES = [
# r"^https:\/\/.*\.your-main-domain\.com$", # Allows any subdomain
# ]
# Optional: Configure allowed methods and headers if you need more granular control
# CORS_ALLOWED_METHODS = [
# "DELETE",
# "GET",
# "OPTIONS",
# "PATCH",
# "POST",
# "PUT",
# ]
# CORS_ALLOWED_HEADERS = [
# "accept",
# "accept-encoding",
# "authorization", # CRITICAL for JWT authentication
# "content-type",
# "dnt",
# "origin",
# "user-agent",
# "x-csrftoken", # If your frontend uses CSRF tokens (less common with pure JWT APIs)
# "x-requested-with",
# ]
# Optional: Allows credentials (cookies, HTTP authentication, client SSL certificates)
# to be sent with the request. Required for session-based authentication or if
# you're sending JWTs in cookies (not recommended, use Authorization header).
# CORS_ALLOW_CREDENTIALS = True
# Optional: Only apply CORS to specific URL patterns (e.g., just your /api/ endpoints)
# This is useful if you have non-API pages that shouldn't have CORS headers.
# CORS_URLS_REGEX = r"^/api/.*$"
# ... (rest of your settings) ...