# CORS

The CORS section defines the CORS policy for your application.

* `allow_origins`: Specifies which origins are allowed.
* `allow_methods`: Lists the HTTP methods allowed.
* `allow_headers`: Headers that are allowed in requests.
* `expose_headers`: Headers that are exposed in responses.
* `allow_credentials`: Indicates whether credentials are supported.
* `max_age`: Specifies the cache duration for preflight requests.

**Example**

```
"cors": {
    "allow_origins": [
        "https://example.com",
        "https://example2.com"
    ],
    "allow_methods": [
        "GET",
        "POST",
        "PUT",
        "DELETE"
    ],
    "allow_headers": [
        "Content-Type",
        "Authorization"
    ],
    "expose_headers": [
        "Content-Type",
        "Authorization"
    ],
    "allow_credentials": true,
    "max_age": 86400
}
```

### See Also

* [Authorizer](/configuration/authorizer.md) -- set up JWT authentication that works alongside your CORS policy.
* [Servers](/configuration/servers.md) -- define the upstream servers that your CORS-enabled gateway proxies to.
* [Configuration Guide](/configuration/overview.md) -- full configuration reference including all sections.

\\


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.serverlessapigateway.com/configuration/cors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.