As a security precaution, Cloudflare Access blocks Cross-Origin Resource Sharing (CORS) headers from reaching protected applications. If your application must support CORS headers, you can configure specific headers in the Advanced settings section of the Create Access Policy window for the selected Access policy.
To allow CORS headers for the policy protecting the path that requires CORS, navigate to the bottom of the Create Access Policy window and expand the Advanced settings section and configure the settings.
Access-Control-Allow-Origins lets you list the fully qualified domain name (FQDN) that makes the CORS request. You can add multiple FQDNs or select Allow all origins to permit any FQDN.
Access-Control-Allow-Methods allows you to permit all method types (for example, POST or GET requests).
Access-Control-Allow Headers allow you to permit all HTTP headers or HTTP headers you define that meet the criteria defined in the Access-Control-Allow-Origins or Access-Control-Allow-Methods sections.