diff --git a/.env.development b/.env.development
index bbaf8ab..9d804b6 100644
--- a/.env.development
+++ b/.env.development
@@ -1,2 +1,3 @@
 PHOTOFIELD_DATA_DIR=./data
 PHOTOFIELD_API_PREFIX=/
+PHOTOFIELD_CORS_ALLOWED_ORIGINS=http://localhost:3000
\ No newline at end of file
diff --git a/main.go b/main.go
index 6ffcc68..3586443 100644
--- a/main.go
+++ b/main.go
@@ -1031,12 +1031,15 @@ func main() {
 
 	r.Route(apiPrefix, func(r chi.Router) {
 
-		r.Use(cors.Handler(cors.Options{
-			AllowedOrigins: []string{"*"},
-			AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-			AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
-			MaxAge:         300, // Maximum value not ignored by any of major browsers
-		}))
+		allowedOrigins := os.Getenv("PHOTOFIELD_CORS_ALLOWED_ORIGINS")
+		if allowedOrigins != "" {
+			r.Use(cors.Handler(cors.Options{
+				AllowedOrigins: strings.Split(allowedOrigins, ","),
+				AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+				AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+				MaxAge:         300, // Maximum value not ignored by any of major browsers
+			}))
+		}
 
 		var api Api
 		r.Mount("/", openapi.Handler(&api))