diff --git a/api-server/server/middlewares/constant-headers.js b/api-server/server/middlewares/constant-headers.js
index 7677bba84c..bca08ce7b1 100644
--- a/api-server/server/middlewares/constant-headers.js
+++ b/api-server/server/middlewares/constant-headers.js
@@ -1,6 +1,9 @@
+import { homeLocation } from '../../../config/env';
+
 export default function constantHeaders() {
   return function(req, res, next) {
-    res.header('Access-Control-Allow-Origin', '*');
+    res.header('Access-Control-Allow-Origin', homeLocation);
+    res.header('Access-Control-Allow-Credentials', true);
     res.header(
       'Access-Control-Allow-Headers',
       'Origin, X-Requested-With, Content-Type, Accept'
diff --git a/client/src/utils/ajax.js b/client/src/utils/ajax.js
index 77d8bfbbc5..87e8173a32 100644
--- a/client/src/utils/ajax.js
+++ b/client/src/utils/ajax.js
@@ -1,6 +1,7 @@
 import axios from 'axios';
 
 const base = '/internal';
+axios.defaults.withCredentials = true;
 
 function get(path) {
   return axios.get(`${base}${path}`);