How to Configure CORS Policies in App Platform

Validated on 3 May 2021 • Last edited on 6 Feb 2026

App Platform is a fully managed Platform-as-a-Service (PaaS) that deploys applications from Git repositories or container images. It automatically builds, deploys, and scales components while handling all underlying infrastructure.

Cross-origin resource sharing (CORS) lets web applications load resources from other origins (usually other domains) using HTTP headers. A common use case is defining how applications in one domain can access applications in another. For example, you can configure a CORS policy so that api.example.com only accepts HTTP GET requests from a web application hosted at example.com.

The parameters in the CORS policy define how a client’s HTTP request must be configured for the policy to allow it. For example, if you set the Access-Control-Allow-Origin header to https://example.com, client requests must originate from https://example.com with the Origin header set to https://example.com.

To configure CORS settings in the DigitalOcean Control Panel, go to the Apps page, click your app, then click the Settings tab. Click the component whose CORS policy you want to configure. In the Routing rules section, click the , then click Edit CORS configuration.

The Routing rules section with the Edit CORS configuration menu item highlighted.
Note
You can also configure CORS policies in the Networking tab in the HTTP redirect rules and the Component routing rules sections, either when adding a rule or by editing a rule later.

In the Configure CORS section, you can configure the following CORS settings:

  • Access-Control-Allow-Origins: Specify the domains (origins) allowed to access your app. For example, if you set this to https://example.com, your app only allows HTTP requests that originate from https://example.com to access its resources. The value can be specific domains or a regular expression.

    • Exact: The app only permits access if the client’s origin exactly matches the value you provide. For example, if you set this to https://example.com, your app only allows access if an HTTP request originated from https://example.com.
    • Regex: The app permits access if the client’s origin matches the regex, which must be in RE2 syntax.

  • Access-Control-Allow-Methods: Specify the HTTP CRUD methods that the client is allowed to execute. For example, you can set this to GET so that your app only accepts GET requests from matching clients.

  • Access-Control-Allow-Headers: Specify the HTTP headers that the client is allowed to send. For example, you can set this to Content-Type so that your app only receives requests with the Content-Type header from matching clients.

  • Access-Control-Expose-Headers: Specify the response headers that must be available to any scripts running in the client. For example, you can set this to Content-Length so that the Content-Length header is made available to any scripts running in the client.

    See Mozilla’s documentation for a list of response headers that are safe to expose.

  • Access-Control-Max-Age: Specify the number of seconds a client browser should cache the CORS policy. You can specify a maximum of 24h, 1440m or 86400s.

  • Access-Control-Allow-Credentials: Specify whether or not your app allows requests that contain cookies, TLS client certificates, or authentication headers containing a username and password.

When finished, click Save routing rule.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.