# Cross-Origin Resource Sharing

Configure CORS to prevent unauthorized browser requests.

```toml
[cors]
allow_credentials = false
allow_origins = ["https://app.grafbase.com"]
max_age = "60s"
allow_methods = ["GET", "POST"]
allow_headers = ["Content-Type"]
expose_headers = ["Access-Control-Allow-Origin"]
allow_private_network = false
```

- `allow_credentials`: Enables or disables credential sending. Defaults to `false`.
- `allow_origins`: List of allowed domains or “any”. Defaults to no domains if CORS is enabled.
- `max_age` ([duration](/docs/reference/gateway/configuration/durations)): Duration for caching preflight `OPTIONS` request results. Default: none.
- `allow_methods`: List of allowed HTTP methods or “any”. Defaults to none if CORS is enabled.
- `allow_headers`: List of allowed headers or “any”. Defaults to no headers if CORS is enabled.
- `expose_headers`: Headers a preflight request can return to the client. Default: no headers if CORS is enabled.
- `allow_private_network`: Allows private network requests. Defaults to `false`.