Where I can enable CORS for my proxies API?


I have an origin proxified api server (e.g. api.mydomain.com).
I have an SPA on mydomain.com address that access api.mydomain.com. (domains are not real, it is just en example)
I need to provide cors headers to allow access api.

So the questions is: who should provide cors headers - Cloudflare or origin server?
If Cloudflare - please tell me how.

Thanks you very much.