# Configure Cross-Origin Request Sharing (CORS) Type of document: How-to guide Product: NGINX Gateway Fabric --- This document describes how to configure the HTTPCORSFilter in F5 NGINX Gateway Fabric to handle Cross-Origin Resource Sharing (CORS) for your applications. CORS is a security feature that allows or denies web applications running at one domain to make requests for resources from a different domain. The HTTPCORSFilter in the gateway API provides a standard way to configure CORS policies. ## Before you begin - [Install](/ngf/install/) NGINX Gateway Fabric. ## Deploy sample application To deploy the `coffee` application, run the following YAML with `kubectl apply`: ```yaml kubectl apply -f - < ``` ## Deploy a HTTPRoute with the HTTPCORSFilter In this example, the filter is applied to the `/coffee` path. Run the following command to apply the route: ```yaml kubectl apply -f - < ``` ## Verify CORS pre-flight check **Note:** Your clients should be able to resolve the domain name "cafe.example.com" to the public IP of the NGINX Service. This guide simulates it using curl's `--resolve` option. Send a preflight request using curl: ```shell curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee -H "Origin: https://example.com" -X OPTIONS -v ``` Response: ```text > OPTIONS /coffee HTTP/1.1 > Host: cafe.example.com:8080 > User-Agent: curl/8.7.1 > Accept: */* > Origin: https://example.com > * Request completely sent off < HTTP/1.1 200 OK < Server: nginx < Date: Wed, 18 Feb 2026 11:49:23 GMT < Content-Type: application/octet-stream < Content-Length: 0 < Connection: keep-alive < Access-Control-Allow-Origin: https://example.com < Access-Control-Allow-Methods: GET, POST < Access-Control-Allow-Headers: Keep-Alive, Content-Type, User-Agent, Authorization < Access-Control-Expose-Headers: Content-Security-Policy < Access-Control-Allow-Credentials: true < Access-Control-Max-Age: 10 < * Connection #0 to host cafe.example.com left intact ``` ## Further reading - [Example deployment files for HTTPCORSFilter](https://github.com/nginx/nginx-gateway-fabric/tree/main/examples/cors-filter) - [Gateway API Specification](https://gateway-api.sigs.k8s.io/reference/spec/#httpcorsfilter) - [Gateway API CORS](https://gateway-api.sigs.k8s.io/guides/http-cors/)