# CORS Header

Cross-origin resource sharing (CORS) is a browser security mechanism that determines whether a web page can load resources from a different origin. While browsers allow cross-origin images, CSS files, scripts, iframes, and videos without restrictions, other request types — such as Ajax calls and web fonts — are blocked by default under the same-origin policy.

CORS defines how browsers and servers evaluate cross-origin requests. Medianova CDN can send the `access-control-allow-origin` header in HTML responses to enable controlled cross-origin access.

By default, Medianova CDN forwards any CORS-related headers sent by your origin. You only need to enable CORS Header if you want CDN edges to set or override this header.

{% hint style="info" %}
If your origin already sends a correct CORS header with HTML responses and you do not see CORS errors, you can keep CORS Header disabled.&#x20;

By default, Medianova CDN forwards the CORS header in HTML responses from your origin to browsers.
{% endhint %}

You can configure CORS Header in the [Medianova Control Panel ](https://cloud.medianova.com)or via the [API](https://clients.medianova.com/api-documentation/performance-cdn/headers#put-api-v1-cdn-organization_uuid-resource-resource_uuid).

## Enable CORS Header

{% stepper %}
{% step %}

### Access CORS Header

Go to **CDN → CDN Resources** and select a CDN Resource.\
Open the **Headers** tab.
{% endstep %}

{% step %}

### Enable CORS Header

By default, CORS Header is disabled.\
Toggle **Status** to enable the feature.

Confirm that configuration fields are now active
{% endstep %}
{% endstepper %}

### Configure CORS Header

After enabling the feature, Medianova CDN edge servers add the `access-control-allow-origin` header to HTML responses based on your configuration.

#### Allow all origins (Wildcard)

If no domains are defined in the allow list, CDN edges return the following header:

```
access-control-allow-origin: *
```

The wildcard `*` allows any origin to load cross-origin resources from the CDN.

#### Allow specific domains

Add domains to restrict cross-origin access to only approved origins.

For example, if `https://www.shop.com` loads web fonts from `https://fonts.shop.com` and you want to prevent external sites from using these fonts, add `fonts.shop.com` to the allow list.

When a domain is added, CDN edges respond with:

```
access-control-allow-origin: https://fonts.shop.com
```

{% stepper %}
{% step %}
Enter a domain into the **Allowed Domains** field.\
Examples: `fonts.shop.com`, `https://fonts.shop.com`
{% endstep %}

{% step %}
Select **Add** to include the domain in the allow list.
{% endstep %}
{% endstepper %}

### Troubleshooting

* CORS Header applies only to **HTML responses**.
* If your origin also sets `access-control-allow-origin`, CDN behavior depends on your Header Override configuration.
* Browser console messages provide the most accurate diagnostics for CORS failures.
* If you use credentials or custom headers in your requests, additional CORS headers may be required at the origin level.