## Django CORS Headers

`django-cors-headers` is a Django application for handling the server headers required for Cross-Origin Resource Sharing (CORS). It allows in-browser requests to your Django application from other origins.

### Why is it important?
In a modern web architecture where your frontend (e.g., Next.js, React) runs on a different domain or port (e.g., `localhost:3000`) than your backend (e.g., `localhost:8000`), the browser's Same-Origin Policy will block API requests by default. CORS headers tell the browser that it's safe to allow these cross-origin requests.

### Installation & Setup

#### 1. Install the package
```bash
pipenv install django-cors-headers
```

#### 2. Configure `settings.py`

Add it to your `INSTALLED_APPS` and `MIDDLEWARE`.

**INSTALLED_APPS**:
```python
INSTALLED_APPS = [
    # ...
    'corsheaders',
    # ...
]
```

**MIDDLEWARE**:
**Crucial**: `CorsMiddleware` must be placed as high as possible, especially before any middleware that can generate responses (like `CommonMiddleware`).

```python
MIDDLEWARE = [
    # ...
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    # ...
]
```

### Configuration

You can control which origins are allowed to access your API using `settings.py`.

#### Allow Specific Origins (Recommended)
Use `CORS_ALLOWED_ORIGINS` to list the exact hostnames allowed.

```python
CORS_ALLOWED_ORIGINS = [
    "http://localhost:3000",
    "https://my-frontend.com",
]
```

#### Allow All Origins (Development Only)
For rapid development, you might set `CORS_ALLOW_ALL_ORIGINS = True`, but **never** do this in production as it exposes your API to everyone.

#### Credentials
If you are using cookies (e.g., for JWT auth or sessions) across domains, you must set:

```python
CORS_ALLOW_CREDENTIALS = True
```

And your frontend request must include `credentials: 'include'`.

### Common Issues

1.  **Middleware Order**: If `CommonMiddleware` or `GZipMiddleware` is before `CorsMiddleware`, headers might not be added correctly.
2.  **Trailing Slashes**: Origins in `CORS_ALLOWED_ORIGINS` should **not** have a trailing slash (e.g., use `http://localhost:3000`, not `http://localhost:3000/`).
3.  **Browser Cache**: Browsers cache CORS preflight (OPTIONS) requests. If you change settings and don't see an effect, try clearing your browser cache or testing in Incognito mode.