diff --git a/Gemfile b/Gemfile
index b2d2da0..f07d14b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -41,6 +41,8 @@ gem 'stimulus-rails'
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: %i[windows jruby]
 
+gem 'rack-cors'
+
 # Use Redis adapter to run Action Cable in production
 # gem "redis", ">= 4.0.1"
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 8d1caa2..56ee1a2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -201,6 +201,8 @@ GEM
       nio4r (~> 2.0)
     racc (1.7.3)
     rack (3.0.10)
+    rack-cors (2.0.2)
+      rack (>= 2.0.0)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
@@ -347,6 +349,7 @@ DEPENDENCIES
   mitlibraries-theme!
   pg
   puma (>= 5.0)
+  rack-cors
   rails (~> 7.1.2)
   rubocop
   rubocop-capybara
diff --git a/README.md b/README.md
index 18fecb8..3fcdbe3 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,8 @@
 
 `LINKRESOLVER_BASEURL`: base url for our link resolver. `https://mit.primo.exlibrisgroup.com/discovery/openurl?institution=01MIT_INST&rfr_id=info:sid/mit.tacos.api&vid=01MIT_INST:MIT` is probably the best value unless you are doing something interesting.
 
+`ORIGINS`: comma-separated list of domains allowed to connect to (and thus query or contribute to) the application. Be sure to specify the port number if a connecting application is not using the standard ports (this applies mostly to local development). If not defined, no external connections will be permitted.
+
 `UNPAYWALL_EMAIL`: email address to include in API call as required in their [documentation](https://unpaywall.org/products/api). Your personal email is appropriate for development. Deployed and for tests, use the timdex moira list email.
 
 ### Optional
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
new file mode 100644
index 0000000..0c0b42d
--- /dev/null
+++ b/config/initializers/cors.rb
@@ -0,0 +1,10 @@
+# Be sure to restart your server when you modify this file.
+
+# config/initializers/cors.rb
+
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins ENV.fetch('ORIGINS', '').split(',').map{|t| t.strip}
+    resource '/graphql', headers: :any, methods: [:post]
+  end
+end