From 63b1ac6092decf3be1b6c364cc6b850e58ebce17 Mon Sep 17 00:00:00 2001
From: Flavius Raducu <raducuflavius@gmail.com>
Date: Thu, 25 Sep 2025 23:38:03 +0100
Subject: [PATCH 1/4] cors tutorial: add explicit headers when credentials are
 allowed

---
 docs_src/cors/tutorial001.py                      | 4 ++--
 tests/test_tutorial/test_cors/test_tutorial001.py | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/docs_src/cors/tutorial001.py b/docs_src/cors/tutorial001.py
index d59ab27ac..c73026e0e 100644
--- a/docs_src/cors/tutorial001.py
+++ b/docs_src/cors/tutorial001.py
@@ -14,8 +14,8 @@ app.add_middleware(
     CORSMiddleware,
     allow_origins=origins,
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET"],
+    allow_headers=["X-Example"],
 )
 
 
diff --git a/tests/test_tutorial/test_cors/test_tutorial001.py b/tests/test_tutorial/test_cors/test_tutorial001.py
index f62c9df4f..b0b9dae53 100644
--- a/tests/test_tutorial/test_cors/test_tutorial001.py
+++ b/tests/test_tutorial/test_cors/test_tutorial001.py
@@ -18,7 +18,10 @@ def test_cors():
         response.headers["access-control-allow-origin"]
         == "https://localhost.tiangolo.com"
     )
-    assert response.headers["access-control-allow-headers"] == "X-Example"
+    expected_headers = (
+        "Accept, Accept-Language, Content-Language, Content-Type, X-Example"
+    )
+    assert response.headers["access-control-allow-headers"] == expected_headers
 
     # Test standard response
     headers = {"Origin": "https://localhost.tiangolo.com"}

From c91067adc08411eb0c2229766699dab46a0b460f Mon Sep 17 00:00:00 2001
From: Flavius Raducu <raducuflavius@gmail.com>
Date: Wed, 1 Oct 2025 18:16:13 +0100
Subject: [PATCH 2/4] add 'Authorization' header to the
 test_cors/test_tutorial001.py

---
 docs_src/cors/tutorial001.py                      | 2 +-
 tests/test_tutorial/test_cors/test_tutorial001.py | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/docs_src/cors/tutorial001.py b/docs_src/cors/tutorial001.py
index c73026e0e..5884fba99 100644
--- a/docs_src/cors/tutorial001.py
+++ b/docs_src/cors/tutorial001.py
@@ -15,7 +15,7 @@ app.add_middleware(
     allow_origins=origins,
     allow_credentials=True,
     allow_methods=["GET"],
-    allow_headers=["X-Example"],
+    allow_headers=["Authorization", "X-Example"],
 )
 
 
diff --git a/tests/test_tutorial/test_cors/test_tutorial001.py b/tests/test_tutorial/test_cors/test_tutorial001.py
index b0b9dae53..33e1e6503 100644
--- a/tests/test_tutorial/test_cors/test_tutorial001.py
+++ b/tests/test_tutorial/test_cors/test_tutorial001.py
@@ -18,10 +18,11 @@ def test_cors():
         response.headers["access-control-allow-origin"]
         == "https://localhost.tiangolo.com"
     )
-    expected_headers = (
-        "Accept, Accept-Language, Content-Language, Content-Type, X-Example"
+    assert response.headers["access-control-allow-headers"] == (
+        "Accept, Accept-Language, "
+        "Authorization, Content-Language, "
+        "Content-Type, X-Example"
     )
-    assert response.headers["access-control-allow-headers"] == expected_headers
 
     # Test standard response
     headers = {"Origin": "https://localhost.tiangolo.com"}

From b58ed871d3faafc75d1c191e07672785df334746 Mon Sep 17 00:00:00 2001
From: Flavius Raducu <raducuflavius@gmail.com>
Date: Sun, 5 Oct 2025 22:45:12 +0100
Subject: [PATCH 3/4] remove allow_credentials

---
 docs_src/cors/tutorial001.py                      | 5 ++---
 tests/test_tutorial/test_cors/test_tutorial001.py | 6 +-----
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/docs_src/cors/tutorial001.py b/docs_src/cors/tutorial001.py
index 5884fba99..3564114bc 100644
--- a/docs_src/cors/tutorial001.py
+++ b/docs_src/cors/tutorial001.py
@@ -13,9 +13,8 @@ origins = [
 app.add_middleware(
     CORSMiddleware,
     allow_origins=origins,
-    allow_credentials=True,
-    allow_methods=["GET"],
-    allow_headers=["Authorization", "X-Example"],
+    allow_methods=["*"],
+    allow_headers=["*"],
 )
 
 
diff --git a/tests/test_tutorial/test_cors/test_tutorial001.py b/tests/test_tutorial/test_cors/test_tutorial001.py
index 33e1e6503..f62c9df4f 100644
--- a/tests/test_tutorial/test_cors/test_tutorial001.py
+++ b/tests/test_tutorial/test_cors/test_tutorial001.py
@@ -18,11 +18,7 @@ def test_cors():
         response.headers["access-control-allow-origin"]
         == "https://localhost.tiangolo.com"
     )
-    assert response.headers["access-control-allow-headers"] == (
-        "Accept, Accept-Language, "
-        "Authorization, Content-Language, "
-        "Content-Type, X-Example"
-    )
+    assert response.headers["access-control-allow-headers"] == "X-Example"
 
     # Test standard response
     headers = {"Origin": "https://localhost.tiangolo.com"}

From 2ad39537f8f71b180a138173dfaf720f3dcf9791 Mon Sep 17 00:00:00 2001
From: Flavius Raducu <raducuflavius@gmail.com>
Date: Mon, 6 Oct 2025 21:55:04 +0100
Subject: [PATCH 4/4] set allow_credentials to false

---
 docs_src/cors/tutorial001.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs_src/cors/tutorial001.py b/docs_src/cors/tutorial001.py
index 3564114bc..97ae1e793 100644
--- a/docs_src/cors/tutorial001.py
+++ b/docs_src/cors/tutorial001.py
@@ -13,6 +13,7 @@ origins = [
 app.add_middleware(
     CORSMiddleware,
     allow_origins=origins,
+    allow_credentials=False,
     allow_methods=["*"],
     allow_headers=["*"],
 )