Blog

django-cors-headers: CORS_ALLOWED_ORIGINS versus regex and deployment checklist

Explicit lists beat regex for clarity; use CORS_ALLOWED_ORIGIN_REGEXES only when subdomains are dynamic.

Published: 2026-04-14Updated: 2026-04-161 min read

djangopythoncors

Static and media

Whitenoise and S3 static hosts may need separate CORS for fonts; API CORS does not cover static buckets.

If you serve uploads from the same Django process, verify OPTIONS on file download routes.

Disable CORS_ALLOW_ALL_ORIGINS unless you truly understand public data exposure.

Rotate secrets in the same deploy that changes allowed origins to avoid partial misconfiguration windows.