diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index b3b3b8b3838d74059e07cb5ed1de5d4e9c16dc65..74323d98c44591d6b946d3e494bfa96d09e5466d 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -50,6 +50,8 @@ services:
       - lemmyexternalproxy
     restart: always
     environment:
+      # set this to the public origin that requests will come from
+      - LEMMY_CORS_ORIGIN=http://localhost
       - RUST_LOG="warn,lemmy_server=debug,lemmy_api=debug,lemmy_api_common=debug,lemmy_api_crud=debug,lemmy_apub=debug,lemmy_db_schema=debug,lemmy_db_views=debug,lemmy_db_views_actor=debug,lemmy_db_views_moderator=debug,lemmy_routes=debug,lemmy_utils=debug,lemmy_websocket=debug"
       - RUST_BACKTRACE=full
     volumes:
diff --git a/src/lib.rs b/src/lib.rs
index 7179f219774bf7013744001cc3605917bd365174..d8d367fb3f920cf5b9001263fd5f41bb84d3a66c 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -150,10 +150,12 @@ pub async fn start_lemmy_server() -> Result<(), LemmyError> {
       .build()
       .expect("configure federation");
 
+    let cors_origin = std::env::var("LEMMY_CORS_ORIGIN").unwrap_or_default();
+
     let cors_config = if cfg!(debug_assertions) {
       Cors::permissive()
     } else {
-      Cors::default()
+      Cors::default().allowed_origin(&cors_origin)
     };
 
     App::new()