diff --git a/src/main/java/org/openmbee/mms/mmsri/config/SecurityConfig.java b/src/main/java/org/openmbee/mms/mmsri/config/SecurityConfig.java
index 36c57d2..c73fd40 100644
--- a/src/main/java/org/openmbee/mms/mmsri/config/SecurityConfig.java
+++ b/src/main/java/org/openmbee/mms/mmsri/config/SecurityConfig.java
@@ -33,6 +33,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements
     @Value("${mms.hsts.enabled:false}")
     private boolean hsts;
 
+    @Value("${cors.allowed.origins:*}")
+    private String allowedOrigins;
+
     @Autowired
     AuthSecurityConfig authSecurityConfig;
 
@@ -77,14 +80,16 @@ public void addCorsMappings(CorsRegistry registry) {
                 .allowedMethods("*")
                 .allowCredentials(true)
                 .maxAge(3600L)
-                .allowedOriginPatterns("*");
+                .allowedOriginPatterns(allowedOrigins.split(","));
     }
 
     private CorsFilter corsFilter() {
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         CorsConfiguration config = new CorsConfiguration();
         config.setAllowCredentials(true);
-        config.addAllowedOriginPattern("*");
+        for (String origin: allowedOrigins.split(",")) {
+            config.addAllowedOriginPattern(origin);
+        }
         config.addAllowedHeader("*");
         config.addAllowedMethod("*");
         config.setMaxAge(3600L);
diff --git a/src/main/resources/application.properties.example b/src/main/resources/application.properties.example
index 43c9c54..35dcc73 100644
--- a/src/main/resources/application.properties.example
+++ b/src/main/resources/application.properties.example
@@ -4,6 +4,8 @@ mms.admin.username=test
 mms.admin.password=test
 mms.stream.batch.size=100000
 
+cors.allowed.origins=*
+
 # jwt issued by mms for logins via /authentication
 jwt.secret=make_me_something_really_long
 jwt.expiration=86400