diff --git a/config/runtime.exs b/config/runtime.exs
index 45406476..15ba584a 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -366,6 +366,23 @@ config :epochtalk_server,
        EpochtalkServerWeb.Endpoint,
        Keyword.merge(base_endpoint_config, endpoint_config)
 
+## Configure corsica
+corsica_config =
+  case config_env() do
+    :prod ->
+      get_env_or_raise_with_message.(
+        "CORS_ORIGINS",
+        """
+        For example:
+        ~r{^https?://(.*\.)?epochtalk\.com$}
+        """
+      )
+    _ -> "*"
+  end
+
+config :epochtalk_server, :corsica, corsica_config
+
+
 ## Configure mailer in prod
 #  (Other envs are hardcoded into their respective config/ files)
 if config_env() == :prod do
diff --git a/lib/epochtalk_server_web/endpoint.ex b/lib/epochtalk_server_web/endpoint.ex
index d41a4fd3..a609024a 100644
--- a/lib/epochtalk_server_web/endpoint.ex
+++ b/lib/epochtalk_server_web/endpoint.ex
@@ -6,7 +6,13 @@ defmodule EpochtalkServerWeb.Endpoint do
   plug RemoteIp
 
   # cors configuration
-  plug Corsica, origins: "*", allow_headers: :all, expose_headers: ["epoch-viewer"]
+  corsica_config = Application.get_env(:epochtalk_server, :corsica)
+  plug Corsica,
+    origins: corsica_config.origins,
+    allow_headers: :all,
+    allow_credentials: true,
+    allow_private_network: true,
+    expose_headers: ["epoch-viewer", "api-key", "x-api-key"]
 
   socket "/socket", EpochtalkServerWeb.UserSocket,
     websocket: true,