If you add the headers to the web.config, every request that is served by that application will include the specified headers. This method is supported at the web server level and doesn’t depend on config.EnableCors() being executed. You can use that method to add any HTTP header you want.
On the flip side, the EnableCors attribute requires WebAPI and you need to add some code to make it work. To the end user, the result is the same.
As for which way is better? I’ve liked keeping those settings in the application code by using the attribute so these settings are obvious to future developers. Depending on your needs, you may want to look into a abstract CorsApiController which your main ApiControllers could inherit to deliver the same CORS headers over and over. But this method won’t work if the CORS headers need to vary from controller to controller or from action to action.