diff --git a/content/en/docs/refguide/runtime/custom-settings/_index.md b/content/en/docs/refguide/runtime/custom-settings/_index.md
index 292d41630f4..adaf9834715 100644
--- a/content/en/docs/refguide/runtime/custom-settings/_index.md
+++ b/content/en/docs/refguide/runtime/custom-settings/_index.md
@@ -66,6 +66,7 @@ The following custom settings can be configured:
| com.mendix.core.ProcessedTasksCleanupBatchSize | This setting specifies how many System.ProcessedQueueTask objects will be removed from the database each time the ProcessedTask cleanup action runs. See [Task Queue](/refguide/task-queue/#cleanup) for more details. | 10000 |
| com.mendix.services.publish.AllowWebServiceUserBasicAuthenticationInODataAndREST | Set to `true` to allow web service users to access published [OData](/refguide/published-odata-services/) and [REST](/refguide/published-rest-services/) services when using basic authentication. | false |
| EnableApacheCommonsLogging | Some libraries used by the Mendix runtime use [Apache Commons](https://commons.apache.org/) for logging. By default these log messages are suppressed. Set this value to `true` to receive the log messages from these libraries in the Mendix logs. | false |
+| Client.EnableCors | When set to `true`, the runtime will respond to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) preflight `OPTIONS` requests on client-related request handlers. This is required when the Mendix client is accessed from a different domain. Use this setting in combination with the Headers runtime setting to specify the required CORS headers, such as `Access-Control-Allow-Origin`. See Configuring CORS for more information. | false |
| HashAlgorithm | Specifies the hash algorithm used to generate hash values for attributes of the HashString type, such as the password of a user. This setting overrides the setting in Studio Pro, see [Hash Algorithm](/refguide/runtime-tab/#hash-algorithm). Possible values are `BCRYPT`, `SSHA256`, `SHA256` (not recommended) and `MD5` (not recommended). To override the default BCrypt cost, you can specify `BCRYPT:cost`, where 'cost' is a number between 10 and 30. An example value is `BCRYPT:12`. | BCRYPT |
| http.client.CleanupAfterSeconds | For the call REST service and call web service activities, the first request to a new host will create an HTTP client that will handle subsequent requests. When there are no new requests to the host for the specified time, the HTTP client will be cleaned up. A value of `0` means no cleanup.
{{% alert color="warning" %}}If the infrastructure provider closes this connection before this cleanup time, you can receive a `java.net. SocketException: Connection reset` error. You can reduce this value to prevent this, or handle the error in your [REST call](/refguide/call-rest-action/#troubleshooting).{{% /alert %}} | 355 (355 seconds) |
| http.client.MaxConnectionsPerRoute | The [maximum number of connections for a route](https://hc.apache.org/httpcomponents-client-4.5.x/current/httpclient/apidocs/org/apache/http/impl/client/HttpClientBuilder.html#setMaxConnPerRoute(int)) for call REST service and call web service activities.
{{% alert color="warning" %}}If your app uses these calls, it is strongly recommended that this value is increased. The default could prevent multiple end-users accessing the API simultaneously. A good value is around the number of concurrent users you expect, with a maximum of 250. The value of `http.client. MaxConnectionsTotal` may also need to increase.{{% /alert %}} | 2 |
diff --git a/content/en/docs/refguide/runtime/custom-settings/configure-cors.md b/content/en/docs/refguide/runtime/custom-settings/configure-cors.md
new file mode 100644
index 00000000000..61197b218ad
--- /dev/null
+++ b/content/en/docs/refguide/runtime/custom-settings/configure-cors.md
@@ -0,0 +1,62 @@
+---
+title: "Configuring CORS in the Mendix Runtime"
+linktitle: "Configuring CORS"
+url: /refguide/configure-cors/
+description: "Describes how to enable Cross-Origin Resource Sharing (CORS) in the Mendix Runtime, allowing browser-based clients on other domains to access the runtime."
+---
+
+## Introduction
+
+Cross-Origin Resource Sharing (CORS) is a mechanism that allows a web application running on one domain to make requests to a server on a different domain. By default, browsers block such cross-origin requests for security reasons. If your Mendix front end is hosted on a different domain than the Mendix Runtime (for example, when using a separate single-page application or a microfrontend architecture), you need to configure CORS so the browser permits these requests.
+
+This document describes the custom runtime settings required to enable CORS in the Mendix Runtime.
+
+## Settings to Configure {#settings}
+
+To enable CORS, configure the following custom runtime settings. For general information on how to set custom runtime settings, see [Runtime Customization](/refguide/custom-settings/).
+
+### Runtime Settings
+
+| Name | Value | Description |
+| --- | --- | --- |
+| `com.mendix.core.SameSiteCookies` | `None` | Allows cookie sharing between the runtime origin and the client origin. This is required for cross-origin authentication to work correctly. |
+| `Client.EnableCors` | `true` | When enabled, the runtime responds to CORS preflight (`OPTIONS`) requests from the browser. |
+
+### Custom HTTP Response Headers
+
+In addition to the runtime settings above, you need to set the following custom HTTP response headers via the `Headers` setting:
+
+| Header | Value | Description |
+| --- | --- | --- |
+| `Access-Control-Allow-Credentials` | `true` | Indicates that the server allows credentials (cookies, authorization headers) to be included in cross-origin requests. |
+| `Access-Control-Allow-Headers` | `Content-Type, x-csrf-token` | Specifies which HTTP headers can be used in the actual request. Expand this list if your application uses additional custom headers. |
+| `Access-Control-Allow-Methods` | `POST, GET, OPTIONS` | Specifies the HTTP methods allowed when accessing the resource. Expand this list if your application uses additional methods (for example, `PUT` or `DELETE`). |
+| `Access-Control-Allow-Origin` | Your client domain (for example, `https://my-app.example.com`) | The origin from which the client application is served. This must match the exact domain, including the scheme and port. |
+
+{{% alert color="info" %}}
+If you change these settings, you need to restart your app to apply the changes.
+{{% /alert %}}
+
+## Example `m2ee.yaml` Configuration {#example}
+
+The following example shows how to configure CORS in an `m2ee.yaml` file. Replace `YOUR_ORIGIN` with the actual domain of your client application (for example, `https://my-app.example.com`):
+
+```yaml
+mxruntime:
+ com.mendix.core.SameSiteCookies: None
+ Client.EnableCors: true
+ Headers:
+ "Access-Control-Allow-Credentials": "true"
+ "Access-Control-Allow-Headers": "Content-Type, x-csrf-token"
+ "Access-Control-Allow-Methods": "POST, GET, OPTIONS"
+ "Access-Control-Allow-Origin": YOUR_ORIGIN
+```
+
+## Troubleshooting
+
+If CORS is not working as expected, check the following:
+
+* **Browser console errors** — Look for CORS-related error messages in the browser developer tools console. These typically indicate which header is missing or misconfigured.
+* **Origin mismatch** — Ensure the value of `Access-Control-Allow-Origin` exactly matches the origin shown in the browser error, including the scheme (`https://`) and port number (if applicable).
+* **Missing `SameSiteCookies` setting** — Without `com.mendix.core.SameSiteCookies` set to `None`, cookies will not be sent on cross-origin requests, which can cause authentication failures.
+* **HTTPS requirement** — When `SameSiteCookies` is set to `None`, the `Secure` attribute is automatically added to cookies, meaning both the runtime and the client must be served over HTTPS.
\ No newline at end of file