spiceai · phillipleblanc · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024
diff --git a/spiceaidocs/docs/api/http/index.md b/spiceaidocs/docs/api/http/index.md
@@ -14,3 +14,15 @@ import DocCardList from '@theme/DocCardList';
 ## Authentication
 
 API Key authentication is supported for all HTTP routes. See [API Key Authentication](../../api/auth/index.md) for more details.
+
+## Cross-Origin Resource Sharing (CORS)
+
+CORS is disabled by default. Enable for all origins with:
+
+```yaml
+runtime:
+  cors:
+    enabled: true
+```
+
+See [CORS](/reference/spicepod/index.md#runtimecors) for more details.
diff --git a/spiceaidocs/docs/reference/spicepod/index.md b/spiceaidocs/docs/reference/spicepod/index.md
@@ -189,6 +189,37 @@ runtime:
 - `retention_period` - optional, how long records in the task history table should be retained. Default is `8h`, or 8 hours.
 - `retention_check_interval` - optional, how often should old records be checked for removal. Default is `15m`, or 15 minutes.
 
+### `runtime.cors`
+
+The CORS section specifies the configuration for enabling Cross-Origin Resource Sharing (CORS) for the HTTP endpoint. By default, CORS is disabled.
+
+Default configuration:
+
+```yaml
+runtime:
+  cors:
+    enabled: false
+```
+
+### `runtime.cors.enabled`
+
+Enables or disables CORS for the HTTP endpoint. `false` by default.
+
+### `runtime.cors.allowed_origins`
+
+A list of allowed origins for CORS requests. `["*"]` by default, which allows all origins.
+
+Example:
+
+```yaml
+runtime:
+  cors:
+    enabled: true
+    allowed_origins: ["https://example.com"]
+```
+
+This configuration allows requests from the `https://example.com` origin only.
+
 ## `metadata`
 
 An optional `map` of metadata.