Access-Control-Allow-Origin is an HTTP response header stating whether the application or source requesting access is allowed to access the response content. This header is part of the Cross-Origin Resource Sharing (CORS) policy.

When an application or source, like a website, tries to fetch content from another domain, the browser checks the Access-Control-Allow-Origin response header to ensure the content of a page is accessible for the application or source sending the request.

Allow All Origins

Access-Control-Allow-Origin: *

This setting allows all domains to access your resource, and it is mainly used for public APIs or resources. Public APIs often use this value to share data publicly across different domains or sources. If you are storing public assets within your DigitalOcean Spaces, then you could configure your Access-Control-Allow-Origin to *.

Allow Specific Origin


This setting only allows access to your specified domain. The above example specifies that only requests from to access your resource. This setting is mainly preferred for resources that are only accessible to specific applications. For example, a user dashboard on a website could use this setting to ensure that user-specific data from a server is only accessible within the user’s dashboard.

App Platform

App Platform supports configuring CORS policies for your apps.


Client web applications loaded in one domain can interact with resources in a Space with Cross-Origin Resource Sharing (CORS) configured. See How to Configure CORS Policies in Spaces for instructions on how to do this.