diff --git a/api-server/server/middlewares/constant-headers.js b/api-server/server/middlewares/constant-headers.js
index bca08ce7b1..7742c49ff3 100644
--- a/api-server/server/middlewares/constant-headers.js
+++ b/api-server/server/middlewares/constant-headers.js
@@ -1,8 +1,17 @@
 import { homeLocation } from '../../../config/env';
+import { whitelistOrigins } from '../../../config/cors-settings';
 
 export default function constantHeaders() {
   return function(req, res, next) {
-    res.header('Access-Control-Allow-Origin', homeLocation);
+    if (
+      req.headers &&
+      req.headers.origin &&
+      whitelistOrigins.includes(req.headers.origin)
+    ) {
+      res.header('Access-Control-Allow-Origin', req.headers.origin);
+    } else {
+      res.header('Access-Control-Allow-Origin', homeLocation);
+    }
     res.header('Access-Control-Allow-Credentials', true);
     res.header(
       'Access-Control-Allow-Headers',
diff --git a/config/cors-settings.js b/config/cors-settings.js
new file mode 100644
index 0000000000..ba83f1849f
--- /dev/null
+++ b/config/cors-settings.js
@@ -0,0 +1,8 @@
+exports.whitelistOrigins = [
+  'https://www.freecodecamp.dev',
+  'https://www.freecodecamp.org',
+  'https://beta.freecodecamp.dev',
+  'https://beta.freecodecamp.org',
+  'https://chinese.freecodecamp.dev',
+  'https://chinese.freecodecamp.org'
+];