| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Lines of code | 455 |
| Technical Name |
odoo_cors_middleware |
| License | OPL-1 |
| Website | https://www.dotbdsolutions.com |
| Versions | 18.0 19.0 |
| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Lines of code | 455 |
| Technical Name |
odoo_cors_middleware |
| License | OPL-1 |
| Website | https://www.dotbdsolutions.com |
| Versions | 18.0 19.0 |
Odoo CORS & Proxy Manager
Fix Cross-Origin Errors & Proxy External APIs Instantly on Odoo 18 & 19
by Dot BD Solutions Limited · Odoo Ready Partner · Author: Rafiur Rahman Rafit
The Problem — CORS Errors
You built a beautiful website on www.your-domain.com and added JavaScript to fetch data from your Odoo server at odoo.your-domain.com. But instead of data you get this dreaded browser error:
Access to fetch at 'https://odoo.your-domain.com/api/...' from origin
'https://www.your-domain.com' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
This happens because Odoo does not add CORS headers to its HTTP responses
by default. Browsers enforce the Same-Origin Policy and block the request entirely —
even proxy workarounds like allorigins.win
often fail on Odoo.sh and SaaS deployments.
The Solution — Install & Go
Odoo CORS & Proxy Manager is a lightweight Odoo module that automatically adds the
required Access-Control-Allow-Origin
headers to every HTTP response from your Odoo server. No nginx changes, no reverse
proxy tweaks, no Odoo source code edits.
Just install the module and your external website can immediately call any
Odoo endpoint — custom controllers, JSON-RPC, REST APIs, website pages, or the standard
/web/dataset/call_kw
interface.
Features
Everything the module does automatically after installation.
Automatic CORS Headers
Every response from your Odoo server automatically includes Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Max-Age headers.
OPTIONS Preflight Handling
Browsers send an OPTIONS request before any cross-origin POST/PUT/DELETE. This module intercepts those preflight requests at the WSGI level and returns a proper 200 OK with all required CORS headers — before Odoo even tries to route them.
Zero Configuration
No settings page, no domain whitelist to maintain, no environment variables. Install the module and CORS is enabled for all origins on all routes immediately.
Works Everywhere
Works on Odoo.sh, self-hosted, and Docker
deployments. No nginx config or reverse proxy changes required.
Not compatible with Odoo SaaS (odoo.com) —
SaaS does not allow custom modules or server-side patching.
Smart Header Deduplication
If your custom controllers already use Odoo's built-in
cors="*"
route parameter, the middleware detects existing CORS headers and
does not duplicate them.
Health-Check Endpoint
A built-in
/cors/health
endpoint returns {"status":"ok","cors":"enabled"}
— use it from your website JavaScript to verify that CORS is working before making production API calls.
Common Use Cases
-
Website ↔ Odoo API:
Your main website (e.g.
www.example.com) fetches product data, stock levels, or pricing from your Odoo instance (e.g.odoo.example.com). - Embedded Widgets: JavaScript widgets embedded in WordPress, Shopify, Wix, or any CMS that pull live Odoo data.
- Single-Page Apps (SPA): React, Vue, Angular, or plain JavaScript frontends that communicate with Odoo as a backend.
- Mobile Web Apps: Progressive Web Apps (PWAs) or mobile web views that call Odoo APIs directly.
- Third-Party Integrations: External services, dashboards, or reporting tools that need browser-based access to Odoo endpoints.
Quick Start — 3 Steps
- Copy
odoo_cors_middlewareto yourcustom_addonsdirectory (or upload via Odoo.sh Git). - Restart Odoo, go to Apps, search for "Odoo CORS & Proxy Manager" and click Install.
- Done! Open your browser console and test:
fetch('https://your-odoo.com/cors/health')
.then(r => r.json())
.then(d => console.log(d));
// → {status: "ok", cors: "enabled"}
How to Use After Installation
Verify the module is active
Open your browser console on any page and run:
fetch('https://your-odoo.com/cors/health')
.then(r => r.json()).then(d => console.log(d));
// Expected: {status: "ok", cors: "enabled"}
Call any Odoo API from your external website
Use fetch()
from any origin — no special headers or proxies needed:
const res = await fetch('https://your-odoo.com/web/dataset/call_kw', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
credentials: 'include',
body: JSON.stringify({
jsonrpc: '2.0', method: 'call',
params: {
model: 'product.template', method: 'search_read',
args: [[]], kwargs: {fields: ['name','list_price'], limit: 10}
}
})
});
const data = await res.json();
console.log(data.result); // Products from Odoo
Use the built-in product proxy (for external APIs)
If your product data lives on a separate non-Odoo server that doesn't send CORS headers, the module includes a server-side proxy:
// Get all products — Odoo proxies to external server
const res = await fetch('/api/v1/web/products');
const products = await res.json();
// Get one product by ID
const detail = await fetch(`/api/v1/web/product?p_id=${productId}`);
const product = await detail.json();
Embed the snippet in your Odoo website page
In the Odoo website builder, go to your product page → click
Edit → drag in a Custom HTML block →
paste the ready-made product catalog snippet. The snippet uses relative URLs
(/api/v1/web/products)
so there are no cross-origin requests at all.
✅ No CORS errors: Relative URL → same origin → browser allows it directly. Odoo handles the upstream fetch internally with no restrictions.
Server-Side Proxy — 100% Reliable, Zero CORS Issues
Standard CORS headers can still fail on Odoo.sh or third-party servers that ignore or override them. The Proxy Server approach bypasses CORS completely — the browser never touches the external API.
Configure via: CORS & Proxy Manager → Proxy Servers → New
❌ Normal CORS Headers
- Can be blocked by Odoo.sh nginx
- Ignored by some external APIs
- Fails with credentials + wildcard
- Breaks on redirects
✅ Proxy Server (This Module)
- Server-to-server — no CORS rules
- Works on any Odoo deployment
- Supports all methods & auth types
- Configure from Odoo UI — no code
Setup in 2 steps:
Step 1 — Add Proxy Server
CORS & Proxy Manager → Proxy Servers → New
Label: My API
Base URL: https://myapi.com
Route Prefix: /proxy/myapi
Step 2 — Call from Your Website
Use the Route Prefix in your JS:
/proxy/myapi/products
Odoo forwards it server-side to:
https://myapi.com/products
JavaScript — all methods supported:
// GET
const res = await fetch('/proxy/myapi/products');
// POST with JSON
const res = await fetch('/proxy/myapi/orders', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({ item_id: 123, qty: 2 })
});
// DELETE, PUT, PATCH — same pattern
await fetch('/proxy/myapi/orders/456', { method: 'DELETE' });
🛡️ Why this always works
Browser → Odoo (same origin, no CORS check) → External API (server-to-server, no CORS rules). The external server never sees a browser request — it only sees Odoo's Python server. No headers to negotiate, no preflight, no blocked requests. Ever.
Example — Embed Odoo Products in Your Website
Add this JavaScript snippet to any external website to fetch and display products from your Odoo server:
// Replace with your Odoo server URL
const ODOO_URL = 'https://your-odoo.com';
// 1. Authenticate (get session cookie)
const auth = await fetch(ODOO_URL + '/web/session/authenticate', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
credentials: 'include',
body: JSON.stringify({
jsonrpc: '2.0',
params: {
db: 'your-database',
login: 'api@example.com',
password: 'your-api-key'
}
})
});
// 2. Fetch products
const products = await fetch(ODOO_URL + '/web/dataset/call_kw', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
credentials: 'include',
body: JSON.stringify({
jsonrpc: '2.0',
method: 'call',
params: {
model: 'product.product',
method: 'search_read',
args: [[]],
kwargs: {fields: ['name','list_price'], limit: 10}
}
})
});
const data = await products.json();
console.log(data.result); // No CORS error!
Module Screenshots
Real screenshots from a live Odoo installation
CORS Settings — Enable/disable CORS with a single toggle
Proxy Servers — Configure upstream servers from the Odoo UI
Allowed Origins — Restrict CORS to specific domains
System Parameters — cors_allow_origin, headers & methods auto-configured
✅ Proxy in action — external API products loaded through Odoo with zero CORS errors
Frequently Asked Questions
Does this work on Odoo.sh?
Yes. The module operates entirely within the Odoo Python process —
it does not require nginx config, custom Dockerfiles, or SSH access.
Just push the module to your Odoo.sh Git repository and install it from the Apps menu.
Not compatible with Odoo SaaS (odoo.com) —
SaaS does not allow custom module installation or server-side patching.
Use Odoo.sh or self-hosted instead.
Is it safe to allow all origins (*)?
For public APIs and product catalogs, yes. Odoo's own session-based authentication and CSRF protection still apply — CORS headers only tell the browser it's allowed to read the response; they don't bypass login or security rules.
Will it conflict with routes that already have cors="*"?
No. The middleware checks for existing CORS headers before adding its own.
If a route already includes Access-Control-Allow-Origin,
the module skips that header to avoid duplicates.
How do I uninstall it?
Go to Apps → Installed → CORS & Proxy Manager → Uninstall. After restarting Odoo, the monkey-patch is removed and all responses return to normal Odoo behavior (no CORS headers).
Technical Settings — Required After Installation
After installing the module, check these settings in Settings → Technical → Parameters → System Parameters:
⚠️ cors_allow_origin parameter
Search for cors_allow_origin.
Its value must be set to *
to allow all origins, or your exact website domain (e.g.
https://www.your-site.com).
Key: cors_allow_origin Value: *
Step 1
Go to Settings → Enable Developer Mode (scroll to bottom of General Settings → Activate Developer Mode)
Step 2
Go to Settings → Technical → Parameters → System Parameters
Step 3
Search for cors_allow_origin
→ set Value to * → Save
Step 4
Go to Apps → CORS & Proxy Manager → Upgrade to activate any newly added proxy routes
Embed a Custom Snippet in Odoo Website
In the Odoo website builder, go to your page → Edit → drag a Custom HTML block → paste your snippet HTML → Save.
<div id="product-list"></div>
<script>
fetch('/proxy/destiny/api/v1/web/products')
.then(r => r.json())
.then(data => {
const container = document.getElementById('product-list');
data.data.forEach(p => {
container.innerHTML += `
<div>
<h3>${p.xdesc}</h3>
<p>Price: ৳${p.xmrp}</p>
</div>
`;
});
});
</script>
Replace /proxy/destiny
with your configured Route Prefix from CORS & Proxy Manager → Proxy Servers.
Dot BD Solutions Limited
Certified Odoo Ready Partner · Bangladesh
Module Author: Rafiur Rahman Rafit
We are a certified Odoo Ready Partner specialising in ERP implementation, custom module development, training and digital transformation for businesses across Bangladesh and beyond.
© 2025 Dot BD Solutions Limited · All rights reserved · OPL-1 License
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module