LangChain Reference home page

GitHub
Main Docs

LangGraph Checkpoint

LangGraph Store

Checkpoint Postgres

Store Postgres

Checkpoint SQLite

LangGraph Prebuilt

LangGraph CLI

LangGraph SDK

LangGraph Supervisor

LangGraph Swarm

⌘I

LangChain Assistant

Ask a question to get started

Enter to send•Shift+Enter new line

Menu

LangGraph Checkpoint

LangGraph Store

Checkpoint Postgres

Checkpoint SQLite

LangGraph Prebuilt

LangGraph Supervisor

LangGraph Swarm

Language

Theme

Pythonlanggraph-clischemasCorsConfig

Class●Since v0.4

CorsConfig

Copy

CorsConfig()

Bases

TypedDict

Constructors

Attributes

View source on GitHub

constructor

__init__

Name	Type
allow_origins	list[str]
allow_methods	list[str]
allow_headers	list[str]
allow_credentials	bool
allow_origin_regex	str
expose_headers	list[str]
max_age	int

allow_origins: list[str]

Optional. List of allowed origins (e.g., "https://example.com").

Default is often an empty list (no external origins). Use "*" only if you trust all origins, as that bypasses most restrictions.

allow_methods: list[str]

Optional. HTTP methods permitted for cross-origin requests (e.g. ["GET", "POST"]).

Default might be ["GET", "POST", "OPTIONS"] depending on your server framework.

allow_headers: list[str]

Optional. HTTP headers that can be used in cross-origin requests (e.g. ["Content-Type", "Authorization"]).

allow_credentials: bool

Optional. If True, cross-origin requests can include credentials (cookies, auth headers).

Default False to avoid accidentally exposing secured endpoints to untrusted sites.

allow_origin_regex: str

Optional. A regex pattern for matching allowed origins, used if you have dynamic subdomains.

Example: "^https://.*.mycompany.com$"

expose_headers: list[str]

Optional. List of headers that browsers are allowed to read from the response in cross-origin contexts.

Optional. How many seconds the browser may cache preflight responses.

Default might be 600 (10 minutes). Larger values reduce preflight requests but can cause stale configurations.

Specifies Cross-Origin Resource Sharing (CORS) rules for your server.

If omitted, defaults are typically very restrictive (often no cross-origin requests). Configure carefully if you want to allow usage from browsers hosted on other domains.