Where in Cloudflare do you enter CORS requests

Hello, we have Cloudflare enterprise and I found this document for setting CORS rules but our screen doesn’t look anything like this. It looks like this is for Cloudflare for Teams, but we have Enterprise so the UI is different:

Following are the parameters we required to be set on our .org and .com domains

access-control-allow-credentials: true
Access-Control-Allow-Origins: domain[.]org & www[.]domain[.]org
Access-Control-Allow Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Max-Age (seconds): 3600
Access-Control-Allow-Methods – POST & GET

Where is this at?

Hi @kjstech,

It may be best to contact your account team for assistance on this, as you are on an Enterprise plan.

The documentation you shared is for Cloudflare Access, and the steps are taken from the Cloudflare for Teams dashboard at https://dash.teams.cloudflare.com/. I wouldn’t expect this to look too different for an Enterprise plan, it looks the same as the documentation for me on my Enterprise test zone.

If you don’t use the Cloudflare for Teams dashboard and prefer to use the Access tab on the main dashboard, though, you should still see the same options. If you go to create/edit an access policy, at the bottom under ‘Advanced settings’:

Are you referring to a normal web site, or Cloudflare Access/Cloudflare Teams?

If it is just a normal web site, you set these on your Origin server. You could also set them in a Worker, and you can find some examples for CORS in the Workers documentation.

In relation to the Access-Control-Allow-Origin response, you can only have one <origin> in the response, so you will need something on your Origin to inspect the Origin request header, and modify the response accordingly.

I use VCL like this on my origin, but the same logic is possible in other servers.

sub vcl_deliver {
    if (req.http.host == "example.org" && req.url ~ "^/some-cross-origin-path" && (req.http.origin == "https://example.org" || req.http.origin == "https://www.example.org" ) ) {
        set resp.http.Access-Control-Allow-Origin = req.http.Origin;
        set resp.http.Access-Control-Allow-Credentials = "true"
        if (req.method == "OPTIONS"){
            set resp.http.Access-Control-Allow-Headers = "origin, x-requested-with, content-type, accept";
            set resp.http.Access-Control-Allow-Methods = "GET, POST, OPTIONS";
            set resp.http.Access-Control-Max-Age = "3600";

This topic was automatically closed after 30 days. New replies are no longer allowed.