diff --git a/api/libretime_api/settings/_internal.py b/api/libretime_api/settings/_internal.py
index 4280ab45a..b8547b5ad 100644
--- a/api/libretime_api/settings/_internal.py
+++ b/api/libretime_api/settings/_internal.py
@@ -25,9 +25,11 @@ INSTALLED_APPS = [
     "rest_framework",
     "django_filters",
     "drf_spectacular",
+    "corsheaders",
 ]
 
 MIDDLEWARE = [
+    "corsheaders.middleware.CorsMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
diff --git a/api/libretime_api/settings/prod.py b/api/libretime_api/settings/prod.py
index 1a26fb374..9afbdf067 100644
--- a/api/libretime_api/settings/prod.py
+++ b/api/libretime_api/settings/prod.py
@@ -39,6 +39,18 @@ ALLOWED_HOSTS = ["*"]
 
 LOGGING = setup_logger(LIBRETIME_LOG_FILEPATH)
 
+# CORS
+# https://github.com/adamchainz/django-cors-headers
+
+# Create an 'origin' by removing the public_url path
+public_url_origin = (
+    CONFIG.general.public_url[: -len(CONFIG.general.public_url.path)]
+    if CONFIG.general.public_url.path
+    else CONFIG.general.public_url
+)
+
+CORS_ALLOWED_ORIGINS = [public_url_origin] + CONFIG.general.allowed_cors_origins
+
 # Database
 # https://docs.djangoproject.com/en/3.2/ref/settings/#databases
 
diff --git a/api/requirements.txt b/api/requirements.txt
index 491c7c344..8ab144a7f 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,5 +1,6 @@
 # Please do not edit this file, edit the setup.py file!
 # This file is auto-generated by tools/extract_requirements.py.
+django-cors-headers>=3.14.0,<3.15
 django-filter>=2.4.0,<22.2
 django>=4.1.4,<4.2
 djangorestframework>=3.12.1,<3.15
diff --git a/api/setup.py b/api/setup.py
index ca2650915..bfe3e0acf 100644
--- a/api/setup.py
+++ b/api/setup.py
@@ -24,6 +24,7 @@ setup(
         ]
     },
     install_requires=[
+        "django-cors-headers>=3.14.0,<3.15",
         "django-filter>=2.4.0,<22.2",
         "django>=4.1.4,<4.2",
         "djangorestframework>=3.12.1,<3.15",
diff --git a/shared/libretime_shared/config/_models.py b/shared/libretime_shared/config/_models.py
index 6b3d2aff1..bbfdd495f 100644
--- a/shared/libretime_shared/config/_models.py
+++ b/shared/libretime_shared/config/_models.py
@@ -48,6 +48,8 @@ class GeneralConfig(BaseModel):
 
     timezone: str = "UTC"
 
+    allowed_cors_origins: List[AnyHttpUrl] = []
+
     # Validators
     _public_url_no_trailing_slash = no_trailing_slash_validator("public_url")