diff --git a/server/app/__init__.py b/server/app/__init__.py
index 406c603..c159c56 100644
--- a/server/app/__init__.py
+++ b/server/app/__init__.py
@@ -23,7 +23,9 @@ def create_app(cfg=config):
     CORS(
         app,
         resources={r'/api/*': {
-            'origins': '*',
+            'methods': ['POST', 'OPTIONS'],
+            'allow_origins': app.config['CORS_ALLOWED_ORIGINS'].split(','),
+            'allow_headers': app.config['CORS_ALLOWED_HEADERS'].split(','),
         }})
 
     return app
diff --git a/server/config.py b/server/config.py
index db7a238..4af58e5 100644
--- a/server/config.py
+++ b/server/config.py
@@ -16,3 +16,6 @@ MAIL_USERNAME = getenv("FLASK_MAIL_USERNAME")
 MAIL_PASSWORD = getenv("FLASK_MAIL_PASSWORD")
 
 MAIL_RECIPIENT = getenv("FLASK_MAIL_RECIPIENT")
+
+CORS_ALLOWED_ORIGINS = getenv("FLASK_CORS_ORIGINS")
+CORS_ALLOWED_HEADERS = getenv("FLASK_CORS_ALLOW_HEADERS")