diff --git a/.env.sample b/.env.sample
index 92b87cbc..527fef53 100644
--- a/.env.sample
+++ b/.env.sample
@@ -12,8 +12,19 @@ ROLLBAR_ENV=localhost
 HTTP_HEADER_APP_ID=x-app-id
 HTTP_HEADER_APP_SECRET=x-app-secret
 
-# official web clients
+# Official web clients. Use comma to separate all site origins.
 RUMORS_SITE_CORS_ORIGIN=http://localhost:3000
+
+# Websites to redirect back to. Use comma to separate all site origins.
+# After logging-in, it will always redirect user to domains specified here.
+# If the request is coming from other domains, it will be redirected to the first origin here.
+#
+# Please make sure the domain is the "same site" as PUBLIC_API_URL in rumors-site
+# so that login cookies can be picked up when rumors-site make requests to this API server.
+#
+RUMORS_SITE_REDIRECT_ORIGIN=http://localhost:3000
+
+# Official LINE clients
 RUMORS_LINE_BOT_CORS_ORIGIN=http://localhost:5001
 
 # official line bot client
@@ -56,7 +67,7 @@ GA_WEB_VIEW_ID=GA_WEB_VIEW_ID
 GA_LINE_VIEW_ID=GA_LINE_VIEW_ID
 
 # URL to URL resolver microservice (http://github.com/cofacts/url-resolver)
-URL_RESOLVER_URL=http://localhost:4000
+URL_RESOLVER_URL=localhost:4000
 
 # Apollo engine. When not given, disables Apollo Engine introspection
 ENGINE_API_KEY=
diff --git a/src/auth.js b/src/auth.js
index 848a6ad0..866d9889 100644
--- a/src/auth.js
+++ b/src/auth.js
@@ -221,13 +221,23 @@ export const authRouter = Router()
       ctx.session.appId === 'RUMORS_SITE' ||
       ctx.session.appId === 'DEVELOPMENT_FRONTEND'
     ) {
-      const allowedOrigins = process.env.RUMORS_SITE_CORS_ORIGIN.split(',');
-      basePath = allowedOrigins.find(o => o === ctx.session.origin);
+      const validOrigins = (
+        process.env.RUMORS_SITE_REDIRECT_ORIGIN || ''
+      ).split(',');
+
+      basePath =
+        validOrigins.find(o => o === ctx.session.origin) || validOrigins[0];
     }
 
     // TODO: Get basePath from DB for other client apps
+    try {
+      ctx.redirect(new URL(ctx.session.redirect, basePath).href);
+    } catch (err) {
+      err.status = 400;
+      err.expose = true;
+      throw err;
+    }
 
-    ctx.redirect(new URL(ctx.session.redirect, basePath).href);
     // eslint-disable-next-line require-atomic-updates
     ctx.session.appId = undefined;
     // eslint-disable-next-line require-atomic-updates