# CORS Allowlist {% hint style="warning" %} These settings only apply to games running in browser environments. To learn more about CORS, you can read the [mdn web docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) {% endhint %} For games running in web environments, settings up a CORS allowlist can be benefitial in a few cases: * If your game runs on Unity *and* uses browser cookies * If you want to restrict which websites your game can run from when using LootLocker By default, LootLocker will allow traffic to the API from any website. If you add a host to the CORS allowlist, we will instead only allow traffic to the LootLocker API from that website, effectively restricting the game to only be able to run from that website. A website might be your own domain, or a 3rd party service like itch.io. ## Unity Considerations {% hint style="warning" %} If your Unity game uses any cookies, using the CORS allowlist is a requirement. This is not an issue for the vast majority of Unity games! {% endhint %} When Unity does web requests they ask for the `Access-Control-Allow-Credentials` CORS permission. This has the side effect of stopping requests to all sources who does not explicitly allow this, if they use cookies. Unfortunately it's not possible to broadly allow this, without opening the game up to security issues. Because of this, explicitly defining a CORS allowlist is required in this case. The LootLocker API will not function without it. ## How to configure the CORS Allowlist 1. Identify the web hosts where the game should be able to run from 2. Create a host in the [CORS Allowlist Settings Page](https://console.lootlocker.com/settings/cors-allowlist) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.lootlocker.com/admin/cors-allowlist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.