diff --git a/pkg/cors/cors.go b/pkg/cors/cors.go
new file mode 100644
index 0000000..877ef3a
--- /dev/null
+++ b/pkg/cors/cors.go
@@ -0,0 +1,53 @@
+package cors
+
+import (
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+)
+
+type CorsOptions struct {
+	AllowedMethods, AllowedHeaders, AllowedOrigins []string
+	AllowedCredentials                             bool
+}
+
+func retriveOriginEnv(name string) []string {
+	return strings.Split(os.Getenv(name), " ")
+}
+
+func NewCors() CorsOptions {
+	allowedOrigins := []string{"*"}
+	if envOrigin := retriveOriginEnv("ALLOWED_ORIGINS"); envOrigin[0] != "" {
+		allowedOrigins = envOrigin
+	}
+	allowedMethods := []string{http.MethodHead,
+		http.MethodGet,
+		http.MethodPost,
+		http.MethodPut,
+		http.MethodPatch,
+		http.MethodDelete,
+	}
+	if envMethod := retriveOriginEnv("ALLOWED_METHODS"); envMethod[0] == "" {
+		allowedMethods = []string{"POST", "GET", "OPTIONS"}
+	}
+	allowedHeaders := []string{"*"}
+	if envHeaders := retriveOriginEnv("ALLOWED_HEADERS"); envHeaders[0] == "" {
+		allowedHeaders = []string{"Accept", "Authorization", "Origin", "Content-Type"}
+	}
+	allowedCredentials := true
+	var err error
+	if envCredentials := os.Getenv("ALLOWED_CREDENTIALS"); envCredentials != "" {
+		allowedCredentials, err = strconv.ParseBool(envCredentials)
+		if err != nil {
+			panic("cannot parse  ALLOWED_CREDENTIALS env to boolean")
+		}
+	}
+	c := CorsOptions{
+		AllowedMethods:     allowedMethods,
+		AllowedHeaders:     allowedHeaders,
+		AllowedOrigins:     allowedOrigins,
+		AllowedCredentials: allowedCredentials,
+	}
+	return c
+}