diff --git a/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowCredentialsHeaderProvider.php b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowCredentialsHeaderProvider.php
new file mode 100755
index 0000000000000..d22dad79a59bf
--- /dev/null
+++ b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowCredentialsHeaderProvider.php
@@ -0,0 +1,85 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider;
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationProviderInterface;
+use Magento\GraphQl\Model\Cors\Validator\RequestValidatorInterface;
+
+/**
+ * Provides value for Access-Control-Allow-Credentials header if CORS is enabled
+ */
+class AllowCredentialsHeaderProvider implements HeaderProviderInterface
+{
+    /**
+     * provides the allow credentials header value
+     */
+    public const ALLOW_CREDENTIALS = "true";
+
+    /**
+     * @var string
+     */
+    private $headerName;
+
+    /**
+     * CORS configuration provider
+     *
+     * @var ConfigurationProviderInterface
+     */
+    private $corsConfiguration;
+
+    /**
+     * @var RequestValidatorInterface
+     */
+    private $requestValidator;
+
+    /**
+     * @param ConfigurationProviderInterface $corsConfiguration
+     * @param RequestValidatorInterface $requestValidator
+     * @param string $headerName
+     */
+    public function __construct(
+        ConfigurationProviderInterface $corsConfiguration,
+        RequestValidatorInterface $requestValidator,
+        string $headerName
+    ) {
+        $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
+        $this->requestValidator = $requestValidator;
+    }
+
+    /**
+     * Get name of header
+     *
+     * @return string
+     */
+    public function getName(): string
+    {
+        return $this->headerName;
+    }
+
+    /**
+     * Check if header can be applied
+     *
+     * @return bool
+     */
+    public function canApply(): bool
+    {
+        return $this->requestValidator->isOriginAllowed() && $this->corsConfiguration->isCredentialsAllowed();
+    }
+
+    /**
+     * Get value for header
+     *
+     * @return string
+     */
+    public function getValue(): string
+    {
+        return self::ALLOW_CREDENTIALS;
+    }
+}
diff --git a/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowHeadersHeaderProvider.php b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowHeadersHeaderProvider.php
new file mode 100755
index 0000000000000..b8c7de1797241
--- /dev/null
+++ b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowHeadersHeaderProvider.php
@@ -0,0 +1,82 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider;
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationProviderInterface;
+use Magento\GraphQl\Model\Cors\Validator\RequestValidatorInterface;
+
+/**
+ * Provides value for Access-Control-Allow-Header header if CORS is enabled
+ */
+class AllowHeadersHeaderProvider implements HeaderProviderInterface
+{
+    /**
+     * @var string
+     */
+    private $headerName;
+
+    /**
+     * CORS configuration provider
+     *
+     * @var ConfigurationProviderInterface
+     */
+    private $corsConfiguration;
+
+    /**
+     * @var RequestValidatorInterface
+     */
+    private $requestValidator;
+
+    /**
+     * @param ConfigurationProviderInterface $corsConfiguration
+     * @param RequestValidatorInterface $requestValidator
+     * @param string $headerName
+     */
+    public function __construct(
+        ConfigurationProviderInterface $corsConfiguration,
+        RequestValidatorInterface $requestValidator,
+        string $headerName
+    ) {
+        $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
+        $this->requestValidator = $requestValidator;
+    }
+
+    /**
+     * Get name of header
+     *
+     * @return string
+     */
+    public function getName(): string
+    {
+        return $this->headerName;
+    }
+
+    /**
+     * Check if header can be applied
+     *
+     * @return bool
+     */
+    public function canApply(): bool
+    {
+        return $this->requestValidator->isOriginAllowed() && $this->getValue();
+    }
+
+    /**
+     * Get value for header
+     *
+     * @return string
+     */
+    public function getValue(): string
+    {
+        return $this->corsConfiguration->getAllowedHeaders()
+            ? implode(',', $this->corsConfiguration->getAllowedHeaders())
+            : '';
+    }
+}
diff --git a/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowMethodsHeaderProvider.php b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowMethodsHeaderProvider.php
new file mode 100755
index 0000000000000..50c41534c8de9
--- /dev/null
+++ b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowMethodsHeaderProvider.php
@@ -0,0 +1,87 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider;
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationProviderInterface;
+use Magento\GraphQl\Model\Cors\Validator\RequestValidatorInterface;
+
+/**
+ * Provides value for Access-Control-Allow-Methods header if CORS is enabled
+ */
+class AllowMethodsHeaderProvider implements HeaderProviderInterface
+{
+    /**
+     * @var string
+     */
+    private $headerName;
+
+    /**
+     * @var string
+     */
+    public const GRAPHQL_CORS_ALLOWED_METHODS = 'GET,POST,OPTIONS';
+
+    /**
+     * CORS configuration provider
+     *
+     * @var ConfigurationProviderInterface
+     */
+    private $corsConfiguration;
+
+    /**
+     * @var RequestValidatorInterface
+     */
+    private $requestValidator;
+
+    /**
+     * @param ConfigurationProviderInterface $corsConfiguration
+     * @param RequestValidatorInterface $requestValidator
+     * @param string $headerName
+     */
+    public function __construct(
+        ConfigurationProviderInterface $corsConfiguration,
+        RequestValidatorInterface $requestValidator,
+        string $headerName
+    ) {
+        $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
+        $this->requestValidator = $requestValidator;
+    }
+
+    /**
+     * Get name of header
+     *
+     * @return string
+     */
+    public function getName(): string
+    {
+        return $this->headerName;
+    }
+
+    /**
+     * Check if header can be applied
+     *
+     * @return bool
+     */
+    public function canApply(): bool
+    {
+        return $this->requestValidator->isOriginAllowed() && $this->getValue();
+    }
+
+    /**
+     * Get value for header
+     *
+     * @return string
+     */
+    public function getValue(): string
+    {
+        return $this->corsConfiguration->getAllowedMethods()
+            ? implode(',', $this->corsConfiguration->getAllowedMethods())
+            : self::GRAPHQL_CORS_ALLOWED_METHODS;
+    }
+}
diff --git a/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowOriginHeaderProvider.php b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowOriginHeaderProvider.php
new file mode 100755
index 0000000000000..da484b144d6c8
--- /dev/null
+++ b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/AllowOriginHeaderProvider.php
@@ -0,0 +1,94 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider;
+
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationProviderInterface;
+use Magento\GraphQl\Model\Cors\Validator\RequestValidatorInterface;
+
+/**
+ * Provides value for Access-Control-Allow-Origin header if CORS is enabled
+ */
+class AllowOriginHeaderProvider implements HeaderProviderInterface
+{
+    /**
+     * @var string
+     */
+    private $headerName;
+
+    /**
+     * CORS configuration provider
+     *
+     * @var ConfigurationProviderInterface
+     */
+    private $corsConfiguration;
+
+    /**
+     * @var RequestInterface
+     */
+    private $request;
+
+    /**
+     * @var RequestValidatorInterface
+     */
+    private $requestValidator;
+
+    /**
+     * @param ConfigurationProviderInterface $corsConfiguration
+     * @param RequestInterface $request
+     * @param RequestValidatorInterface $requestValidator
+     * @param string $headerName
+     */
+    public function __construct(
+        ConfigurationProviderInterface $corsConfiguration,
+        RequestInterface $request,
+        RequestValidatorInterface $requestValidator,
+        string $headerName
+    ) {
+        $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
+        $this->request = $request;
+        $this->requestValidator = $requestValidator;
+    }
+
+    /**
+     * Get name of header
+     *
+     * @return string
+     */
+    public function getName(): string
+    {
+        return $this->headerName;
+    }
+
+    /**
+     * Check if header can be applied
+     *
+     * @return bool
+     */
+    public function canApply(): bool
+    {
+        return $this->requestValidator->isOriginAllowed() && $this->getValue();
+    }
+
+    public function getValue(): string
+    {
+        return $this->isAllOriginsAllowed() ? '*' : $this->request->getHeader('Origin');
+    }
+
+    /**
+     * if '*' is present, allow all origins
+     *
+     * @return bool
+     */
+    private function isAllOriginsAllowed(): bool
+    {
+        return in_array('*', $this->corsConfiguration->getAllowedOrigins());
+    }
+}
diff --git a/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/MaxAgeHeaderProvider.php b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/MaxAgeHeaderProvider.php
new file mode 100755
index 0000000000000..b7da996f72ce5
--- /dev/null
+++ b/app/code/Magento/GraphQl/Controller/Cors/HttpResponseHeaderProvider/MaxAgeHeaderProvider.php
@@ -0,0 +1,85 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider;
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationProviderInterface;
+use Magento\GraphQl\Model\Cors\Validator\RequestValidatorInterface;
+
+/**
+ * Provides value for Max-Age header if CORS is enabled
+ */
+class MaxAgeHeaderProvider implements HeaderProviderInterface
+{
+    /**
+     * CORS MAX AGE default value
+     */
+    private const GRAPH_CORS_MAX_AGE_DEFAULT = '86400';
+
+    /**
+     * @var string
+     */
+    private $headerName;
+
+    /**
+     * CORS configuration provider
+     *
+     * @var ConfigurationProviderInterface
+     */
+    private $corsConfiguration;
+
+    /**
+     * @var RequestValidatorInterface
+     */
+    private $requestValidator;
+
+    /**
+     * @param ConfigurationProviderInterface $corsConfiguration
+     * @param RequestValidatorInterface $requestValidator
+     * @param string $headerName
+     */
+    public function __construct(
+        ConfigurationProviderInterface $corsConfiguration,
+        RequestValidatorInterface $requestValidator,
+        string $headerName
+    ) {
+        $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
+        $this->requestValidator = $requestValidator;
+    }
+
+    /**
+     * Get name of header
+     *
+     * @return string
+     */
+    public function getName(): string
+    {
+        return $this->headerName;
+    }
+
+    /**
+     * Check if header can be applied
+     *
+     * @return bool
+     */
+    public function canApply(): bool
+    {
+        return $this->requestValidator->isOriginAllowed() && $this->getValue();
+    }
+
+    /**
+     * Get value for header
+     *
+     * @return string
+     */
+    public function getValue(): string
+    {
+        return $this->corsConfiguration->getMaxAge() ?? self::GRAPH_CORS_MAX_AGE_DEFAULT;
+    }
+}
diff --git a/app/code/Magento/GraphQl/Model/Cors/ConfigurationProvider.php b/app/code/Magento/GraphQl/Model/Cors/ConfigurationProvider.php
new file mode 100755
index 0000000000000..abc476483bfc0
--- /dev/null
+++ b/app/code/Magento/GraphQl/Model/Cors/ConfigurationProvider.php
@@ -0,0 +1,134 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Model\Cors;
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+
+/**
+ * Provides CORS Configuration
+ */
+class ConfigurationProvider implements ConfigurationProviderInterface
+{
+    /**
+     * path which stores config for list of allowed origins
+     */
+    public const GRAPHQL_CORS_ALLOWED_ORIGINS = 'web/graphql/cors_allowed_origins';
+
+    /**
+     * path which stores config for list of allowed methods
+     */
+    public const GRAPHQL_CORS_ALLOWED_METHODS = 'web/graphql/cors_allowed_methods';
+
+    /**
+     * path which stores config for list of allowed headers
+     */
+    public const GRAPHQL_CORS_ALLOWED_HEADERS = 'web/graphql/cors_allowed_headers';
+
+    /**
+     * path which stores config for max age
+     */
+    public const GRAPHQL_CORS_MAX_AGE = 'web/graphql/cors_max_age';
+
+    /**
+     * path which stores config for credentials allowed
+     */
+    public const GRAPHQL_CORS_ALLOW_CREDENTIALS = 'web/graphql/cors_allow_credentials';
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $scopeConfig;
+
+    /**
+     * ConfigurationProvider constructor.
+     */
+    public function __construct(
+        ScopeConfigInterface $scopeConfig
+    ) {
+        $this->scopeConfig = $scopeConfig;
+    }
+
+    /**
+     * returns the list of allowed origins
+     *
+     * @return array|null
+     */
+    public function getAllowedOrigins(): ?array
+    {
+        return $this->processOptions($this->scopeConfig->getValue(self::GRAPHQL_CORS_ALLOWED_ORIGINS));
+    }
+
+    /**
+     * returns the list of allowed headers
+     *
+     * @return array|null
+     */
+    public function getAllowedHeaders(): ?array
+    {
+        return $this->processOptions($this->scopeConfig->getValue(self::GRAPHQL_CORS_ALLOWED_HEADERS));
+    }
+
+    /**
+     * returns the list of allowed methods
+     *
+     * @return array|null
+     */
+    public function getAllowedMethods(): ?array
+    {
+        return $this->processOptions($this->scopeConfig->getValue(self::GRAPHQL_CORS_ALLOWED_METHODS));
+    }
+
+    /**
+     * returns CORS max age value
+     *
+     * @return string
+     */
+    public function getMaxAge(): string
+    {
+        return $this->scopeConfig->getValue(self::GRAPHQL_CORS_MAX_AGE);
+    }
+
+    /**
+     * returns credentials value
+     *
+     * @return bool
+     */
+    public function isCredentialsAllowed(): bool
+    {
+        return $this->scopeConfig->isSetFlag(self::GRAPHQL_CORS_ALLOW_CREDENTIALS);
+    }
+
+    /**
+     * converts the comma separated values into array
+     *
+     * @param $option
+     * @param string $delimiter
+     * @return array
+     */
+    public function processOptions($option, $delimiter = ','): array
+    {
+        //if no config is provided in env.php
+        if(!$option){
+            $option = '';
+        }
+
+        $configurations = explode($delimiter, $option);
+        $trimmedConfigurations = array_map(
+            function ($trimmedConfiguration) {
+                return trim($trimmedConfiguration);
+            },
+            $configurations
+        );
+
+        $trimmedConfigurations = array_values(array_filter($trimmedConfigurations, function ($trimmedConfiguration) {
+            return !empty($trimmedConfiguration);
+        }));
+
+        return $trimmedConfigurations;
+    }
+}
diff --git a/app/code/Magento/GraphQl/Model/Cors/ConfigurationProviderInterface.php b/app/code/Magento/GraphQl/Model/Cors/ConfigurationProviderInterface.php
new file mode 100755
index 0000000000000..77a2b33b4de43
--- /dev/null
+++ b/app/code/Magento/GraphQl/Model/Cors/ConfigurationProviderInterface.php
@@ -0,0 +1,47 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Model\Cors;
+
+interface ConfigurationProviderInterface
+{
+
+    /**
+     * Get list of allowed origins or null
+     *
+     * @return array|null
+     */
+    public function getAllowedOrigins(): ?array;
+
+    /**
+     * Get list of allowed headers or null
+     *
+     * @return array|null
+     */
+    public function getAllowedHeaders(): ?array;
+
+    /**
+     * Get list of allowed methods or null
+     *
+     * @return array|null
+     */
+    public function getAllowedMethods(): ?array;
+
+    /**
+     * Get max age header value
+     *
+     * @return string
+     */
+    public function getMaxAge(): string;
+
+    /**
+     * Are credentials allowed
+     *
+     * @return bool
+     */
+    public function isCredentialsAllowed() : bool;
+}
diff --git a/app/code/Magento/GraphQl/Model/Cors/Validator/RequestValidator.php b/app/code/Magento/GraphQl/Model/Cors/Validator/RequestValidator.php
new file mode 100755
index 0000000000000..536f1560efe39
--- /dev/null
+++ b/app/code/Magento/GraphQl/Model/Cors/Validator/RequestValidator.php
@@ -0,0 +1,94 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Model\Cors\Validator;
+
+use Magento\Framework\App\Request\Http as HttpRequest;
+use Magento\Framework\App\RequestInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationProviderInterface;
+
+/**
+ * Validates the request
+ */
+class RequestValidator implements RequestValidatorInterface
+{
+
+    /**
+     * @var ConfigurationProviderInterface
+     */
+    private $configuration;
+
+    /**
+     * @var RequestInterface
+     */
+    private $request;
+
+    /**
+     * CorsValidator constructor.
+     *
+     * @param ConfigurationProviderInterface $configuration
+     * @param RequestInterface $request
+     */
+    public function __construct(
+        ConfigurationProviderInterface $configuration,
+        RequestInterface $request
+    ) {
+        $this->configuration = $configuration;
+        $this->request = $request;
+    }
+
+    /**
+     * Determines whether the requested origin is present in configuration
+     *
+     * @return bool
+     */
+    private function isOriginExistsInConfiguration(): bool
+    {
+        return in_array($this->request->getHeader('Origin'), $this->configuration->getAllowedOrigins());
+    }
+
+    /**
+     * Determines whether all origins should be allowed
+     *
+     * @return bool
+     */
+    private function isAllOriginsAllowed(): bool
+    {
+        return in_array('*', $this->configuration->getAllowedOrigins());
+    }
+
+    /**
+     * Determines whether the request is valid and applies CORS headers
+     * @return bool
+     */
+    public function isOriginAllowed(): bool
+    {
+        if ($this->request instanceof HttpRequest) {
+
+            if (!$this->originHeaderExists()) {
+                return false;
+            }
+
+            return $this->isAllOriginsAllowed() || $this->isOriginExistsInConfiguration();
+        }
+
+        return false;
+    }
+
+    /**
+     * Determines whether an origin header exists
+     * @return bool
+     */
+    private function originHeaderExists(): bool
+    {
+        try {
+            return $this->request->getHeader('Origin') ? true : false;
+        } catch (\Exception $exception) {
+            return false;
+        }
+    }
+}
diff --git a/app/code/Magento/GraphQl/Model/Cors/Validator/RequestValidatorInterface.php b/app/code/Magento/GraphQl/Model/Cors/Validator/RequestValidatorInterface.php
new file mode 100755
index 0000000000000..8c66626a40cc4
--- /dev/null
+++ b/app/code/Magento/GraphQl/Model/Cors/Validator/RequestValidatorInterface.php
@@ -0,0 +1,20 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Model\Cors\Validator;
+
+/**
+ * Decides if Requested should be applied with CORS headers
+ */
+interface RequestValidatorInterface
+{
+    /**
+     * Determines whether the request is in list of allowed origins
+     * @return bool
+     */
+    public function isOriginAllowed(): bool;
+}
diff --git a/app/code/Magento/GraphQl/etc/di.xml b/app/code/Magento/GraphQl/etc/di.xml
index 865e8f223db54..d2dc83aae5915 100644
--- a/app/code/Magento/GraphQl/etc/di.xml
+++ b/app/code/Magento/GraphQl/etc/di.xml
@@ -103,4 +103,29 @@
             <argument name="queryComplexity" xsi:type="number">300</argument>
         </arguments>
     </type>
+    <type name="Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\MaxAgeHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Max-Age</argument>
+        </arguments>
+    </type>
+    <type name="Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\AllowCredentialsHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Allow-Credentials</argument>
+        </arguments>
+    </type>
+    <type name="Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\AllowHeadersHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Allow-Headers</argument>
+        </arguments>
+    </type>
+    <type name="Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\AllowMethodsHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Allow-Methods</argument>
+        </arguments>
+    </type>
+    <type name="Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\AllowOriginHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Allow-Origin</argument>
+        </arguments>
+    </type>
 </config>
diff --git a/app/code/Magento/GraphQl/etc/graphql/di.xml b/app/code/Magento/GraphQl/etc/graphql/di.xml
index 77fce336374dd..31c798b0505fd 100644
--- a/app/code/Magento/GraphQl/etc/graphql/di.xml
+++ b/app/code/Magento/GraphQl/etc/graphql/di.xml
@@ -30,4 +30,19 @@
             </argument>
         </arguments>
     </type>
+    <preference for="Magento\GraphQl\Model\Cors\ConfigurationProviderInterface" type="Magento\GraphQl\Model\Cors\ConfigurationProvider" />
+    <preference
+        for="Magento\GraphQl\Model\Cors\Validator\RequestValidatorInterface"
+        type="Magento\GraphQl\Model\Cors\Validator\RequestValidator"/>
+    <type name="Magento\Framework\App\Response\HeaderManager">
+        <arguments>
+            <argument name="headerProviderList" xsi:type="array">
+                <item name="CorsAllowHeaders" xsi:type="object">Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\AllowHeadersHeaderProvider</item>
+                <item name="CorsAllowOrigin" xsi:type="object">Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\AllowOriginHeaderProvider</item>
+                <item name="CorsAllowMethods" xsi:type="object">Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\AllowMethodsHeaderProvider</item>
+                <item name="CorsMaxAge" xsi:type="object">Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\MaxAgeHeaderProvider</item>
+                <item name="CorsAllowCredentials" xsi:type="object">Magento\GraphQl\Controller\Cors\HttpResponseHeaderProvider\AllowCredentialsHeaderProvider</item>
+            </argument>
+        </arguments>
+    </type>
 </config>
diff --git a/dev/tests/integration/testsuite/Magento/GraphQl/Controller/CorsGraphQlTest.php b/dev/tests/integration/testsuite/Magento/GraphQl/Controller/CorsGraphQlTest.php
new file mode 100755
index 0000000000000..96e550d4881c9
--- /dev/null
+++ b/dev/tests/integration/testsuite/Magento/GraphQl/Controller/CorsGraphQlTest.php
@@ -0,0 +1,141 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller;
+
+use Laminas\Http\Headers;
+use Magento\TestFramework\TestCase\AbstractController as ControllerTestCase;
+
+/**
+ * Validates the headers for Graphql CORS requests
+ */
+class CorsGraphQlTest extends ControllerTestCase
+{
+    /**
+     * Prepares HTTP headers
+     *
+     * @param string $origin
+     * @return Headers
+     */
+    private function getHeadersForGraphQlRequest($origin = 'https://example.com'): Headers
+    {
+        $httpHeaders = new Headers();
+        $httpHeaders->addHeaders([
+            'Origin' => $origin,
+            'Content-Type' => 'application/json'
+        ]);
+        return $httpHeaders;
+    }
+
+    /**
+     * Makes the GraphQl request
+     *
+     * @param string $origin
+     * @param string $method
+     * @return void
+     */
+    private function addOriginAndSendGraphQlRequest(string $origin, string $method = 'POST'): void
+    {
+        $this->getRequest()->setMethod($method)
+            ->setHeaders($this->getHeadersForGraphQlRequest($origin))
+            ->setContent('{"query": "{categoryList{name, id }}"}');
+
+        $this->dispatch('/graphql');
+    }
+
+    /**
+     * @magentoConfigFixture default/web/graphql/cors_allowed_origins https://www.example.com
+     * @magentoConfigFixture default/web/graphql/cors_allowed_headers Content-Type
+     * @magentoConfigFixture default/web/graphql/cors_allowed_methods GET,POST,OPTIONS
+     * @magentoConfigFixture default/web/graphql/cors_max_age 86400
+     * @magentoConfigFixture default/web/graphql/cors_allow_credentials 1
+     */
+    public function testIsCorsHeadersPresentInGraphQlResponse()
+    {
+        $this->addOriginAndSendGraphQlRequest('https://www.example.com');
+        $response = $this->getResponse();
+
+        $this->assertNotFalse($response->getHeader('Access-Control-Allow-Origin'));
+        $this->assertNotFalse($response->getHeader('Access-Control-Allow-Headers'));
+        $this->assertNotFalse($response->getHeader('Access-Control-Allow-Methods'));
+        $this->assertNotFalse($response->getHeader('Access-Control-Max-Age'));
+
+        $result = json_decode($response->getContent(), true);
+
+        $this->assertArrayNotHasKey("error", $result);
+        $this->assertEquals("Default Category", $result['data']['categoryList'][0]['name']);
+        $this->assertEquals(2, $result['data']['categoryList'][0]['id']);
+    }
+
+    /**
+     * @magentoConfigFixture default/web/graphql/cors_allowed_origins https://www.example.com
+     * @magentoConfigFixture default/web/graphql/cors_allowed_headers Content-Type
+     * @magentoConfigFixture default/web/graphql/cors_allowed_methods GET,POST,OPTIONS
+     * @magentoConfigFixture default/web/graphql/cors_max_age 86400
+     * @magentoConfigFixture default/web/graphql/cors_allow_credentials 1
+     */
+    public function testNormalRequestDoesNotContainsCorsHeaders()
+    {
+        $httpHeaders = new Headers();
+        $httpHeaders->addHeaderLine('Origin: https://www.example.com');
+        $this->dispatch('/');
+
+        $response = $this->getResponse();
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Headers'));
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Methods'));
+        $this->assertFalse($response->getHeader('Access-Control-Max-Age'));
+    }
+
+    /**
+     * @magentoConfigFixture default/web/graphql/cors_allowed_origins https://www.example.com
+     * @magentoConfigFixture default/web/graphql/cors_allowed_headers Content-Type
+     * @magentoConfigFixture default/web/graphql/cors_allowed_methods GET,POST,OPTIONS
+     * @magentoConfigFixture default/web/graphql/cors_max_age 86400
+     * @magentoConfigFixture default/web/graphql/cors_allow_credentials 1
+     */
+    public function testCorsNotAddedIfOriginIsNotAllowed()
+    {
+        $this->addOriginAndSendGraphQlRequest('https://www.test.com');
+        $response = $this->getResponse();
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Headers'));
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Methods'));
+        $this->assertFalse($response->getHeader('Access-Control-Max-Age'));
+    }
+
+    public function testCorsRequestFailsIfCorsConfigurationIsNotProvided()
+    {
+        $this->addOriginAndSendGraphQlRequest('https://www.example.com');
+        $response = $this->getResponse();
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Headers'));
+        $this->assertFalse($response->getHeader('Access-Control-Allow-Methods'));
+        $this->assertFalse($response->getHeader('Access-Control-Max-Age'));
+    }
+
+    /**
+     * @magentoConfigFixture default/web/graphql/cors_allowed_origins https://www.example.com
+     * @magentoConfigFixture default/web/graphql/cors_allowed_headers Content-Type
+     * @magentoConfigFixture default/web/graphql/cors_allowed_methods GET,POST,OPTIONS
+     * @magentoConfigFixture default/web/graphql/cors_max_age 86400
+     * @magentoConfigFixture default/web/graphql/cors_allow_credentials 1
+     */
+    public function testIsCorsHeadersPresentInGraphQlOptionsResponse()
+    {
+        $this->addOriginAndSendGraphQlRequest('https://www.example.com', 'OPTIONS');
+
+        $response = $this->getResponse();
+        $this->assertNotFalse($response->getHeader('Access-Control-Allow-Origin'));
+        $this->assertNotFalse($response->getHeader('Access-Control-Allow-Headers'));
+        $this->assertNotFalse($response->getHeader('Access-Control-Allow-Methods'));
+        $this->assertNotFalse($response->getHeader('Access-Control-Max-Age'));
+
+        $result = json_decode($response->getBody(), true);
+        $this->assertArrayNotHasKey("error", $result);
+    }
+}