There's CORS_URLS_REGEX to whitelist those URLs where CORS is required. Is the reverse possible i.e. can we blacklist some views / URLs where CORS should not work e.g. login. Can I prevent CORS at view level by adding/modifying a header in the view ?

You can use a negative lookahead in your regex to match all URL's except a certain pattern...

https://stackoverflow.com/questions/1687620/regex-match-everything-but-specific-pattern

In [3]: re.match(r'^(?!/api/).*$', '/api/1')

In [4]: re.match(r'^(?!/api/).*$', '/docs/1')
Out[4]: <re.Match object; span=(0, 7), match='/docs/1'>

Enjoy!