We’re overhauling Dgraph’s docs to make them clearer and more approachable. If you notice any issues during this transition or have suggestions, please let us know.
To restrict origins of HTTP requests add lines starting with # Dgraph.Allow-Origin at the end of your GraphQL schema specifying the origins allowed. For example, the following restricts all origins except the ones specified. 
# Dgraph.Allow-Origin "https://example.com"
# Dgraph.Allow-Origin "https://www.example.com"
CORS restrictions only apply to browsers.
By default, the /graphql endpoint doesn’t limit the request origin (Access-Control-Allow-Origin: *).