* 创建一个允许的源列表（由字符串组成）。
* 将其作为「中间件」添加到你的 **FastAPI** 应用中。

你也可以指定后端是否允许：

* 凭证（授权 headers，Cookies 等）。
* 特定的 HTTP 方法（`POST`，`PUT`）或者使用通配符 `"*"` 允许所有方法。
* 特定的 HTTP headers 或者使用通配符 `"*"` 允许所有 headers。

{* ../../docs_src/cors/tutorial001.py hl[2,6:11,13:19] *}

默认情况下，这个 `CORSMiddleware` 实现所使用的默认参数较为保守，所以你需要显式地启用特定的源、方法或者 headers，以便浏览器能够在跨域上下文中使用它们。

支持以下参数：

## Version 4.9.2

_2021-09-30_

 *  Fix: Don't include potentially-sensitive header values in `Headers.toString()` or exceptions.
    This applies to `Authorization`, `Cookie`, `Proxy-Authorization`, and `Set-Cookie` headers.
 *  Fix: Don't crash with an `InaccessibleObjectException` when running on JDK17+ with strong
    encapsulation enabled.

type Identity struct {
	Type        string `json:"type"`
	PrincipalID string `json:"principalId"`
	AccessKeyID string `json:"accessKeyId"`
}

// UserRequest user request headers
type UserRequest struct {
	URL     string      `json:"url"`
	Headers http.Header `json:"headers"`
}

// GetObjectContext provides the necessary details to perform
// download of the object, and return back the processed response
// to the server.

        // Mock getHeaderFields to return our headers
        Map<String, List<String>> allHeaders = headers != null ? new HashMap<>(headers) : new HashMap<>();
        allHeaders.put(null, Collections.singletonList(statusLine)); // Status line
        when(conn.getHeaderFields()).thenReturn(allHeaders);

        // Mock individual header access by both string key and index
        if (headers != null) {
            // Mock by header name

Mas lembre-se que quando você importa `Query`, `Path`, `Header`, e outras de `fastapi`, elas são na verdade funções que retornam classes especiais.

///

/// info | Informação

Para declarar headers, você precisa usar `Header`, caso contrário, os parâmetros seriam interpretados como parâmetros de consulta.

///

## Conversão automática { #automatic-conversion }

## Checando a documentação { #check-the-docs }

Você pode ver os headers necessários na interface gráfica da documentação em `/docs`:

<div class="screenshot">
<img src="/img/tutorial/header-param-models/image01.png">
</div>

## Proibindo Cabeçalhos adicionais { #forbid-extra-headers }

async def get_current_user(token: Annotated[str, Depends(oauth2_scheme)]):
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username = payload.get("sub")
        if username is None:

También puede ayudar a evitar confusiones para nuevos desarrolladores que vean un parámetro no usado en tu código y puedan pensar que es innecesario.

///

/// info | Información

En este ejemplo usamos headers personalizados inventados `X-Key` y `X-Token`.

    This class is in the `logging-interceptor` artifact.
 *  New: `Headers.Builder.addUnsafeNonAscii()` allows non-ASCII values to be added without an
    immediate exception.
 *  New: Headers can be redacted in `HttpLoggingInterceptor`.
 *  New: `Headers.Builder` now accepts dates.
 *  New: OkHttp now accepts `java.time.Duration` for timeouts on Java 8+ and Android 26+.

client = TestClient(app)


def test_get():
    response = client.get("/typer", follow_redirects=False)
    assert response.status_code == 307, response.text
    assert response.headers["location"] == "https://typer.tiangolo.com"


def test_openapi_schema():
    response = client.get("/openapi.json")
    assert response.status_code == 200, response.text
    assert response.json() == {