# How to Configure CORS Policies in App Platform

App Platform is a fully managed Platform-as-a-Service (PaaS) that deploys applications from Git repositories or container images. It automatically builds, deploys, and scales components while handling all underlying infrastructure.

Cross-origin resource sharing (CORS) lets web applications load resources from other origins (usually other domains) using HTTP headers. A common use case is defining how applications in one domain can access applications in another. For example, you can configure a CORS policy so that `api.example.com` only accepts HTTP `GET` requests from a web application hosted at `example.com`.

The parameters in the CORS policy define how a client’s HTTP request must be configured for the policy to allow it. For example, if you set the `Access-Control-Allow-Origin` header to `https://example.com`, client requests must originate from `https://example.com` with the `Origin` header set to `https://example.com`.

To configure CORS settings in the DigitalOcean Control Panel, go to the [Apps page](https://cloud.digitalocean.com/apps), click your app, then click the **Settings** tab. Click the component whose CORS policy you want to configure. In the **Routing rules** section, click the **…**, then click **Edit CORS configuration**.

![The Routing rules section with the Edit CORS configuration menu item highlighted.](https://docs.digitalocean.com/screenshots/app-platform/edit-cors-config.a83bd6e1d354aa8f7216e49dee7cd31108a1477c2d7a64c50c4a22f48b47787b.png)**Note**: You can also configure CORS policies in the **Networking** tab in the **HTTP redirect rules** and the **Component routing rules** sections, either when adding a rule or by editing a rule later.

In the **Configure CORS** section, you can configure the following CORS settings:

- **Access-Control-Allow-Origins**: Specify the domains (origins) allowed to access your app. For example, if you set this to `https://example.com`, your app only allows HTTP requests that originate from `https://example.com` to access its resources. The value can be specific domains or a [regular expression](https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions).

  - **Exact**: The app only permits access if the client’s origin exactly matches the value you provide. For example, if you set this to `https://example.com`, your app only allows access if an HTTP request originated from `https://example.com`.
  - **Regex**: The app permits access if the client’s origin matches the regex, which must be in [RE2 syntax](https://github.com/google/re2/wiki/Syntax).
- **Access-Control-Allow-Methods**: Specify the HTTP CRUD methods that the client is allowed to execute. For example, you can set this to `GET` so that your app only accepts GET requests from matching clients.
- **Access-Control-Allow-Headers**: Specify the HTTP headers that the client is allowed to send. For example, you can set this to `Content-Type` so that your app only receives requests with the `Content-Type` header from matching clients.
- **Access-Control-Expose-Headers**: Specify the response headers that must be available to any scripts running in the client. For example, you can set this to `Content-Length` so that the `Content-Length` header is made available to any scripts running in the client.

  See Mozilla’s documentation for a list of [response headers that are safe to expose](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header).
- **Access-Control-Max-Age**: Specify the number of seconds a client browser should cache the CORS policy. You can specify a maximum of `24h`, `1440m` or `86400s`.
- **Access-Control-Allow-Credentials**: Specify whether or not your app allows requests that contain cookies, TLS client certificates, or authentication headers containing a username and password.

When finished, click **Save routing rule**.