# CORS And Responses Use the gateway CORS block to centralize browser access policy instead of reimplementing it in every upstream. The CORS config defines which origins, methods, and headers are allowed for cross-origin requests. This page explains every CORS field and how the gateway applies them to responses. **Last reviewed:** 2026-03-06 ## When to use this Use the CORS and response reference when you need to control how the gateway handles browser cross-origin requests or what shape responses take for static, error, and operational endpoints. CORS is configured globally and applies to all routes unless overridden by an explicit OPTIONS handler. ## Key concepts * The CORS block is global -- it applies the same origin, method, and header policy to all routes. Per-route CORS overrides require explicit OPTIONS path entries. * The gateway returns a 204 No Content response for OPTIONS preflight requests automatically. You only need an explicit OPTIONS route if a specific path requires different CORS headers. * Static response routes can return JSON objects, strings, booleans, or null. The gateway serializes the `response` field as-is and sets `Content-Type: application/json`. * Error responses follow a consistent JSON shape with `error` and `message` fields. 401 errors include details about which JWT check failed (expiry, issuer, audience). * The gateway adds a `powered-by` response header by default. This can be useful for debugging which gateway version handled a request. ## Repo-grounded example ```json { "cors": { "allow_origins": ["https://app.example.com"], "allow_methods": ["GET", "POST", "OPTIONS"], "allow_headers": ["Content-Type", "Authorization", "X-Refresh-Token"], "expose_headers": ["X-Request-Id"], "allow_credentials": true, "max_age": 300 } } ``` This snippet defines a complete CORS block with `allow_origins`, `allow_methods`, `allow_headers`, `expose_headers`, `allow_credentials`, and `max_age`. Each field maps to a specific CORS response header that the gateway attaches to every response. ## Troubleshooting * If the browser shows a CORS error, check that `allow_origins` includes the exact origin (scheme + domain + port) your frontend uses -- wildcards are not supported when `allow_credentials` is true. * If preflight requests return 404 instead of 204, verify that the global CORS block is present in your config and that no explicit OPTIONS route is shadowing the default behavior. * If a static response returns `null` as a string instead of JSON null, make sure the `response` field is set to `null` (no quotes) in the config JSON. * If error responses do not include the expected `message` field, confirm you are testing against a current gateway version -- older versions used a different error shape. ## Related docs * [cors](/configuration/cors.md) * [introduction](/getting-started/introduction.md) * [gateway troubleshooting matrix](/troubleshooting/wrangler-deploy-guide/gateway-troubleshooting-matrix.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.serverlessapigateway.com/reference/cors-basics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.