diff --git a/.env.example b/.env.example
index fff8c06d..930f7711 100644
--- a/.env.example
+++ b/.env.example
@@ -1,6 +1,9 @@
 API_VERSION=
 SERVER_PORT=
 
+CORS_ORIGIN=
+CORS_METHOD=
+
 SERVER_SECRET=
 
 AWS_ACCESS_KEY=
diff --git a/src/common/ExpressApp.ts b/src/common/ExpressApp.ts
index 06050c31..04eaf23a 100644
--- a/src/common/ExpressApp.ts
+++ b/src/common/ExpressApp.ts
@@ -16,10 +16,10 @@ export class ExpressApp {
     return this
   }
 
-  useCORS() {
+  useCORS(origin: string, method: string) {
     const cors = function(_: any, res: express.Response, next: Function) {
-      res.setHeader('Access-Control-Allow-Origin', '*')
-      res.setHeader('Access-Control-Request-Method', '*')
+      res.setHeader('Access-Control-Allow-Origin', origin)
+      res.setHeader('Access-Control-Request-Method', method)
       res.setHeader(
         'Access-Control-Allow-Methods',
         'OPTIONS, GET, POST, PUT, DELETE'
@@ -30,6 +30,7 @@ export class ExpressApp {
     }
     this.app.use(cors)
     this.router.all('*', cors)
+    return this
   }
 
   useVersion(version: string = '') {
diff --git a/src/server.ts b/src/server.ts
index 8d182265..8f268049 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -7,11 +7,13 @@ const API_VERSION = env.get('API_VERSION', 'v1')
 
 const app = new ExpressApp()
 
-app.useJSON().useVersion(API_VERSION)
+const corsOrigin = env.isDevelopment() ? '*' : env.get('CORS_ORIGIN', '')
+const corsMethod = env.isDevelopment() ? '*' : env.get('CORS_METHOD', '')
 
-if (env.isDevelopment()) {
-  app.useCORS()
-}
+app
+  .useJSON()
+  .useVersion(API_VERSION)
+  .useCORS(corsOrigin, corsMethod)
 
 // Mount routers
 new ContestRouter(app).mount()