Odoo CORS & Proxy Manager
Fix Cross-Origin Errors & Proxy External APIs Instantly on Odoo 18 & 19
by Dot BD Solutions Limited · Odoo Ready Partner · Author: Rafiur Rahman Rafit
🌐 All Origins Allowed⚡ Zero Configuration🛡️ Preflight Handling☁️ Works on Odoo.shOdoo 18 & 19
The Problem — CORS Errors
You built a beautiful Odoo website on www.your-domain.com and added JavaScript to fetch data from an external third-party API at api.some-service.com. But instead of data you get this dreaded browser error:
Access to fetch at 'https://api.some-service.com/data/...' from origin 'https://www.your-domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This happens because the external API does not add CORS headers for your domain, or because your frontend tries to fetch Odoo APIs cross-origin. Browsers enforce the Same-Origin Policy and block the request entirely — even public proxy workarounds often fail or are insecure.
The Solution — Install & Go
Odoo CORS & Proxy Manager solves this in two ways: It acts as a Server-Side Proxy so your Odoo server can fetch any external API (bypassing browser CORS entirely), AND it automatically adds Access-Control-Allow-Origin headers if you want external sites to access your Odoo data.
Just install the module to proxy external third-party APIs directly into your Odoo website, or let your external frontends securely call Odoo endpoints like /web/dataset/call_kw — zero configuration required.
Features
Everything the module does automatically after installation.
🌐
Automatic CORS Headers
Every response from your Odoo server automatically includes Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Max-Age headers.
🛡️
OPTIONS Preflight Handling
Browsers send an OPTIONS request before any cross-origin POST/PUT/DELETE. This module intercepts those preflight requests at the WSGI level and returns a proper 200 OK with all required CORS headers — before Odoo even tries to route them.
⚡
Zero Configuration
No settings page, no domain whitelist to maintain, no environment variables. Install the module and CORS is enabled for all origins on all routes immediately.
☁️
Works Everywhere
Works on Odoo.sh, self-hosted, and Docker deployments. No nginx config or reverse proxy changes required.
Not compatible with Odoo SaaS (odoo.com) — SaaS does not allow custom modules or server-side patching.
🔄
Smart Header Deduplication
If your custom controllers already use Odoo's built-in cors="*" route parameter, the middleware detects existing CORS headers and does not duplicate them.
💚
Health-Check Endpoint
A built-in /cors/health endpoint returns {"status":"ok","cors":"enabled"} — use it from your website JavaScript to verify that CORS is working before making production API calls.
Common Use Cases
- 🌐 Odoo Website → Third-Party API (Primary Use Case):
You have an Odoo website and you want to display information fetched from an external API or third-party website (e.g. live currency rates, weather data, supplier stock, a payment gateway, shipping tracker, or any public/private REST API). When your Odoo website's JavaScript tries to call that external API directly, the browser blocks it with a CORS error. This module's built-in proxy solves it: your Odoo website calls /proxy/your-api/endpoint → Odoo fetches it server-side → returns the data to your page. No CORS block. Ever. - External Website → Odoo API: A website on a different domain (e.g. www.example.com) fetches product data, stock levels, or pricing from your Odoo instance (odoo.example.com) — the CORS headers added by this module allow the browser to read Odoo's response.
- Embedded Widgets: JavaScript widgets on WordPress, Shopify, Wix, or any CMS that show live data from Odoo or from any external API routed through Odoo's proxy.
- Single-Page Apps (SPA): React, Vue, Angular, or plain JS frontends using Odoo as a backend, or using Odoo as a gateway to reach external data sources without CORS issues.
- Mobile Web / PWA: Progressive Web Apps or mobile web views calling Odoo APIs or proxied external APIs.
- Third-Party Integrations: Dashboards, reporting tools, or scripts needing browser access to Odoo endpoints or to any external service proxied through Odoo.
Quick Start — 3 Steps
- Copy odoo_cors_middleware to your custom_addons directory (or upload via Odoo.sh Git).
- Restart Odoo, go to Apps, search for "Odoo CORS & Proxy Manager" and click Install.
- Done! Use the built-in proxy to fetch external data without CORS. Open your browser console on your Odoo site:fetch('/proxy/your-external-api/endpoint')
.then(r => r.json())
.then(d => console.log(d));
// → Proxies the request server-side, bypassing browser CORS!
How to Use After Installation
1
Configure your Proxy Route (for Third-Party APIs)
Go to CORS & Proxy Manager → Proxy Servers → New in the Odoo UI. Set up the external API you want to fetch:
Label: Weather API
Base URL: https://api.weatherapi.com
Route Prefix: /proxy/weather
2
Fetch from the External API directly in your Odoo JS
In your Odoo website's JavaScript, use the Route Prefix you created. Odoo fetches the data server-side, so the browser never blocks the cross-origin request:
// Fetch weather data, bypassing browser CORS entirely:
const weather = await fetch('/proxy/weather/v1/current.json?key=YOUR_KEY&q=Dhaka');
const info = await weather.json();
console.log(info.current.temp_c);
3
Embed the proxy logic in your Odoo website page
In the Odoo website builder, go to your page → click Edit → drag in a Custom HTML block → write your standard fetch('/proxy/.../path') code.
✅ No CORS errors: Because you are calling a relative URL (`/proxy/`) on your own Odoo domain, it's considered same-origin. Odoo handles the upstream fetch internally!
4
(Optional) Let external websites call your Odoo API
If you ALSO need an external website (e.g. `www.my-other-site.com`) to call your Odoo backend, the module automatically adds `Access-Control-Allow-Origin` to Odoo's responses so the external browser can read them. Focus on setting `cors_allow_origin` in Technical Parameters for this.
4
Embed the snippet in your Odoo website page
In the Odoo website builder, go to your product page → click Edit → drag in a Custom HTML block → paste the ready-made product catalog snippet. The snippet uses relative URLs (/api/v1/web/products) so there are no cross-origin requests at all.
✅ No CORS errors: Relative URL → same origin → browser allows it directly. Odoo handles the upstream fetch internally with no restrictions.
⭐ RECOMMENDED⚠️ Normal CORS headers may not work on some servers
Server-Side Proxy — 100% Reliable, Zero CORS Issues
Standard CORS headers can still fail on Odoo.sh or third-party servers that ignore or override them. The Proxy Server approach bypasses CORS completely — the browser never touches the external API.
Configure via: CORS & Proxy Manager → Proxy Servers → New
❌ Normal CORS Headers
- Can be blocked by Odoo.sh nginx
- Ignored by some external APIs
- Fails with credentials + wildcard
- Breaks on redirects
✅ Proxy Server (This Module)
- Server-to-server — no CORS rules
- Works on any Odoo deployment
- Supports all methods & auth types
- Configure from Odoo UI — no code
Setup in 2 steps:
Step 1 — Add Proxy Server
CORS & Proxy Manager → Proxy Servers → New
Label: My API
Base URL: https://myapi.com
Route Prefix: /proxy/myapi
Step 2 — Call from Your Website
Use the Route Prefix in your JS:
/proxy/myapi/products
Odoo forwards it server-side to:
https://myapi.com/products
JavaScript — all methods supported:
// GET
const res = await fetch('/proxy/myapi/products');
// POST with JSON
const res = await fetch('/proxy/myapi/orders', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({ item_id: 123, qty: 2 })
});
// DELETE, PUT, PATCH — same pattern
await fetch('/proxy/myapi/orders/456', { method: 'DELETE' });
🛡️ Why this always works
Browser → Odoo (same origin, no CORS check) → External API (server-to-server, no CORS rules). The external server never sees a browser request — it only sees Odoo's Python server. No headers to negotiate, no preflight, no blocked requests. Ever.
Examples — Connect to Any External API or Odoo
This module is not limited to Odoo websites. It lets your external website or app fetch data from any API — whether it's your Odoo server, a third-party REST service, a payment gateway, a weather API, or your own micro-services.
Example A — Fetch Data from Any External Website / API (Primary Feature)
Use the Proxy Server feature to fetch from any external URL (weather services, payment APIs, inventory systems, public datasets, etc.). Odoo acts as a server-side relay — the browser never hits the external server directly:
// ------- Configure in Odoo UI first: -------
// CORS & Proxy Manager → Proxy Servers → New
// Label: My Weather API
// Base URL: https://api.weatherapi.com
// Route Prefix: /proxy/weather
// --------------------------------------------
// Now call from your Odoo website — zero CORS errors:
const res = await fetch('/proxy/weather/v1/current.json?key=YOUR_KEY&q=Dhaka');
const weather = await res.json();
console.log(weather.current.temp_c); // 🌡️ temperature from external API!
// Works the same way for ANY API:
// Payment gateway: /proxy/payment/charge
// Inventory system: /proxy/inventory/stock
// Public dataset: /proxy/data/records
// Your own API: /proxy/myservice/endpoint
✅ Works with any external website or API — not just Odoo. Configure as many proxy servers as you need from the Odoo UI. No code changes required.
Example B — Let External Sites Fetch from Your Odoo Server (Secondary Feature)
Call Odoo endpoints directly from any external website that you do not host on Odoo:
// Replace with your Odoo server URL
const ODOO_URL = 'https://your-odoo.com';
// 1. Authenticate (get session cookie)
const auth = await fetch(ODOO_URL + '/web/session/authenticate', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
credentials: 'include',
body: JSON.stringify({
jsonrpc: '2.0',
params: { db: 'your-database', login: 'api@example.com', password: 'your-api-key' }
})
});
// 2. Fetch any Odoo model
const res = await fetch(ODOO_URL + '/web/dataset/call_kw', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
credentials: 'include',
body: JSON.stringify({
jsonrpc: '2.0', method: 'call',
params: {
model: 'product.product', method: 'search_read',
args: [[]], kwargs: {fields: ['name','list_price'], limit: 10}
}
})
});
const data = await res.json();
console.log(data.result); // No CORS error!
Module Screenshots
Real screenshots from a live Odoo installation
CORS Settings — Enable/disable CORS with a single toggle
Proxy Servers — Configure upstream servers from the Odoo UI
Allowed Origins — Restrict CORS to specific domains
System Parameters — cors_allow_origin, headers & methods auto-configured
✅ Proxy in action — external API products loaded through Odoo with zero CORS errors
Frequently Asked Questions
Does this work on Odoo.sh?
Yes. The module operates entirely within the Odoo Python process — it does not require nginx config, custom Dockerfiles, or SSH access. Just push the module to your Odoo.sh Git repository and install it from the Apps menu.
Not compatible with Odoo SaaS (odoo.com) — SaaS does not allow custom module installation or server-side patching. Use Odoo.sh or self-hosted instead.
Does the proxy work for any third-party API?
Yes. The proxy acts as a relay over backend HTTP connections, meaning it is not subject to browser CORS policies. You can safely map to weather APIs, suppliers, inventory metrics or any webhook endpoints.
Is it safe to allow all origins (*) in the settings?
If you are only using the proxy server to fetch data from third party websites, you don't even need to configure origins. If you are also letting external sites access Odoo APIs, then allowing `*` is fine for public catalogs. Odoo's own session-based authentication and CSRF protection still apply to private requests.
Will it conflict with routes that already have cors="*"?
No. The middleware checks for existing CORS headers before adding its own. If a route already includes Access-Control-Allow-Origin, the module skips that header to avoid duplicates.
How do I uninstall it?
Go to Apps → Installed → CORS & Proxy Manager → Uninstall. After restarting Odoo, the monkey-patch is removed and all responses return to normal Odoo behavior (no CORS headers).
Technical Settings — Required After Installation
If you are also sharing Odoo data with external websites, check these settings in Settings → Technical → Parameters → System Parameters:
(Note: If you only use the Proxy feature, you can skip configuring origins, as proxying does not use response headers).
⚠️ cors_allow_origin parameter (Optional, for outbound Odoo APIs)
Search for cors_allow_origin. Its value must be set to * to allow all origins, or your exact allowed external domain (e.g. https://www.your-external-site.com).
Key: cors_allow_origin Value: *
Step 1
Go to Settings → Enable Developer Mode (scroll to bottom of General Settings → Activate Developer Mode)
Step 2
Go to Settings → Technical → Parameters → System Parameters
Step 3
Search for cors_allow_origin → set Value to * → Save
Step 4
Go to Apps → CORS & Proxy Manager → Upgrade to activate any newly added proxy routes
Embed a Custom Snippet in Odoo Website
In the Odoo website builder, go to your page → Edit → drag a Custom HTML block → paste your snippet HTML → Save.
<div id="product-list"></div>
<script>
fetch('/proxy/destiny/api/v1/web/products')
.then(r => r.json())
.then(data => {
const container = document.getElementById('product-list');
data.data.forEach(p => {
container.innerHTML += `
<div>
<h3>${p.xdesc}</h3>
<p>Price: ৳${p.xmrp}</p>
</div>
`;
});
});
</script>
Replace /proxy/destiny with your configured Route Prefix from CORS & Proxy Manager → Proxy Servers.
Dot BD Solutions Limited
Certified Odoo Ready Partner · Bangladesh
Module Author: Rafiur Rahman Rafit
We are a certified Odoo Ready Partner specialising in ERP implementation, custom module development, training and digital transformation for businesses across Bangladesh and beyond.