diff --git a/config/runtime.exs b/config/runtime.exs
index 45406476..1d73462d 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -366,6 +366,28 @@ config :epochtalk_server,
        EpochtalkServerWeb.Endpoint,
        Keyword.merge(base_endpoint_config, endpoint_config)
 
+## Configure corsica
+corsica_config_origins =
+  case config_env() do
+    :prod ->
+      get_env_or_raise_with_message.(
+        "CORS_ORIGINS",
+        """
+        For example:
+        ~r{^https?://(.*\.)?epochtalk\.com$}
+        """
+      )
+
+    _ ->
+      "*"
+  end
+
+corsica_config = %{
+  origins: corsica_config_origins
+}
+
+config :epochtalk_server, :corsica, corsica_config
+
 ## Configure mailer in prod
 #  (Other envs are hardcoded into their respective config/ files)
 if config_env() == :prod do
diff --git a/lib/epochtalk_server_web/endpoint.ex b/lib/epochtalk_server_web/endpoint.ex
index d41a4fd3..d340adea 100644
--- a/lib/epochtalk_server_web/endpoint.ex
+++ b/lib/epochtalk_server_web/endpoint.ex
@@ -6,7 +6,18 @@ defmodule EpochtalkServerWeb.Endpoint do
   plug RemoteIp
 
   # cors configuration
-  plug Corsica, origins: "*", allow_headers: :all, expose_headers: ["epoch-viewer"]
+  plug Corsica,
+    origins: {__MODULE__, :valid_origin?, []},
+    allow_headers: :all,
+    allow_credentials: false,
+    allow_private_network: true,
+    expose_headers: ["epoch-viewer", "api-key", "x-api-key"]
+
+  def valid_origin?(conn, _origin) do
+    origins = Application.get_env(:epochtalk_server, :corsica).origins
+    options = %Corsica.Options{origins: origins}
+    Corsica.allowed_origin?(conn, options)
+  end
 
   socket "/socket", EpochtalkServerWeb.UserSocket,
     websocket: true,