Skip to content

Fix Access-Control-Expose-Headers for Flask #2329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tomkralidis merged 3 commits into from
Apr 28, 2026
Merged

Fix Access-Control-Expose-Headers for Flask #2329

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9a15f1e
Fix Flask Expose Headers
C-Loftus Apr 27, 2026
740f044
add a test
C-Loftus Apr 27, 2026
3b159d3
switch to single quotes
C-Loftus Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pygeoapi/flask_app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@
if CONFIG['server'].get('cors', False):
try:
from flask_cors import CORS
CORS(APP, CORS_EXPOSE_HEADERS=['*'])
CORS(APP, expose_headers='*')
Copy link
Copy Markdown
Contributor Author

@C-Loftus C-Loftus Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I renamed this argument here since expose_headers has explicit documentation in the flask cors docs as

    :param expose_headers:
        The header or list which are safe to expose to the API of a CORS API
        specification.

        Default : None

It seems you are intended to be able to use CORS_EXPOSE_HEADERS in some way but I was not able to get this to work.

It seems like this header is special in some way and the corresponding header only gets set if expose_headers is in the kwargs, not the uppercase CORS_EXPOSE_HEADERS version of it.
https://github.com/corydolphin/flask-cors/blob/main/flask_cors/core.py#L188 I think this might be a bug in the upstream library. Either way, this is highly dynamic it is probably best to use the version of the arg that is specified as an arg and not a dynamic kwarg.

Copy link
Copy Markdown
Contributor Author

@C-Loftus C-Loftus Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One other note, I also checked all the other defaults on CORS and all the others seem reasonable to me. So I didn't edit anything else.

except ModuleNotFoundError:
print('Python package flask-cors required for CORS support')

Expand Down
6 changes: 6 additions & 0 deletions tests/api/test_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,9 @@ def test_apirules_active(config_with_rules, rules_api):
assert response.status_code == 200
response = flask_client.get(flask_prefix)
assert response.status_code in (307, 308)
# Ensure that the expose-headers are set regardless of
# whether apirules are active or not
assert response.headers['Access-Control-Expose-Headers'] == '*'

# Test links on landing page for correct URLs
response = flask_client.get(flask_prefix, follow_redirects=True)
Expand Down Expand Up @@ -342,6 +345,9 @@ def test_apirules_inactive(config, api_):
flask_client.application.url_for('pygeoapi.conformance')
response = flask_client.get('/static/img/pygeoapi.png')
assert response.status_code == 200
# Ensure that the expose-headers are set regardless of
# whether apirules are active or not
assert response.headers['Access-Control-Expose-Headers'] == '*'

# Test trailing slashes
response = flask_client.get('/')
Expand Down
Loading