diff --git a/api.planx.uk/server.ts b/api.planx.uk/server.ts
index a54833d09b..8c95c29f04 100644
--- a/api.planx.uk/server.ts
+++ b/api.planx.uk/server.ts
@@ -42,9 +42,9 @@ const checkAllowedOrigins: CorsOptions["origin"] = (origin, callback) => {
   const isTest = process.env.NODE_ENV === "test";
   const isDevelopment = process.env.APP_ENVIRONMENT === "development";
   const allowList = process.env.CORS_ALLOWLIST?.split(", ") || [];
-  const isAllowed = origin && allowList.includes(origin);
+  const isAllowed = Boolean(origin && allowList.includes(origin));
 
-  isTest || isDevelopment || isAllowed
+  !origin || isTest || isDevelopment || isAllowed
     ? callback(null, true)
     : callback(new Error("Not allowed by CORS"));
 };
diff --git a/infrastructure/application/utils/generateCORSAllowList.ts b/infrastructure/application/utils/generateCORSAllowList.ts
index 5700b5ba2c..d49aebb77f 100644
--- a/infrastructure/application/utils/generateCORSAllowList.ts
+++ b/infrastructure/application/utils/generateCORSAllowList.ts
@@ -3,7 +3,7 @@ import * as awsx from "@pulumi/awsx";
 import { CustomDomains } from "../../common/teams";
 
 export const generateCORSAllowList = (customDomains: CustomDomains, domain: string): awsx.ecs.KeyValuePair => {
-  const customDomainURLs = customDomains.map(team => team.domain);
+  const customDomainURLs = customDomains.map(team => `https://${team.domain}`);
   const editorURL = `https://${domain}`;
   const corsAllowList = [...customDomainURLs, editorURL];