diff --git a/.env b/.env
index 2af46d8d..4451b0c4 100644
--- a/.env
+++ b/.env
@@ -6,6 +6,11 @@ COMPOSE_PATH_SEPARATOR=;
 COMPOSE_FILE=docker-compose.yml;docker/dev.yml
 
 API_PORT=127.0.0.1:8000
+
+# CORS
+CORS_ALLOW_ORIGINS=["http://localhost","http://localhost:8000"]
+
+# authentication server
 OAUTH2_SERVER_URL=https://world.openfoodfacts.org/cgi/auth.pl
 
 # by default on dev desktop, no restart
@@ -25,4 +30,4 @@ POSTGRES_PASSWORD=postgres
 POSTGRES_HOST=postgres
 POSTGRES_PORT=5432
 
-POSTGRES_EXPOSE=127.0.0.1:5433
\ No newline at end of file
+POSTGRES_EXPOSE=127.0.0.1:5433
diff --git a/.github/workflows/container-deploy.yml b/.github/workflows/container-deploy.yml
index e2b43469..e2b238af 100644
--- a/.github/workflows/container-deploy.yml
+++ b/.github/workflows/container-deploy.yml
@@ -113,6 +113,7 @@ jobs:
           echo "RESTART_POLICY=always" >> .env
           # Set App variables
           echo "API_PORT=8190" >> .env
+          echo "CORS_ALLOW_ORIGINS=['https://prices.openfoodfacts.net','https://prices.openfoodfacts.org']" >> .env
           echo "OAUTH2_SERVER_URL=https://world.openfoodfacts.org/cgi/auth.pl" >> .env
           echo "SENTRY_DNS=${{ secrets.SENTRY_DSN }}" >> .env
           echo "POSTGRES_EXPOSE=127.0.0.1:5433" >> .env
diff --git a/app/api.py b/app/api.py
index 488e1b68..29101baf 100644
--- a/app/api.py
+++ b/app/api.py
@@ -13,6 +13,7 @@
     UploadFile,
     status,
 )
+from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import HTMLResponse, PlainTextResponse
 from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
 from fastapi.staticfiles import StaticFiles
@@ -47,7 +48,17 @@
         "url": "https://www.gnu.org/licenses/agpl-3.0.en.html",
     },
 )
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=settings.cors_allow_origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
 templates = Jinja2Templates(directory=Path(__file__).parent / "templates")
+
 init_sentry(settings.sentry_dns)
 
 
diff --git a/app/config.py b/app/config.py
index d81935e6..b2eff394 100644
--- a/app/config.py
+++ b/app/config.py
@@ -1,6 +1,7 @@
 from enum import Enum
 from pathlib import Path
 
+from pydantic import Field
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 ROOT_DIR = Path(__file__).parent.parent
@@ -35,7 +36,8 @@ class Settings(BaseSettings):
     postgres_user: str
     postgres_password: str
     postgres_host: str
-    postgres_port: int = 5432
+    postgres_port: int = Field(default=5432)
+    cors_allow_origins: list[str] = Field(default=[])
     oauth2_server_url: str | None = None
     sentry_dns: str | None = None
     log_level: LoggingLevel = LoggingLevel.INFO
diff --git a/docker-compose.yml b/docker-compose.yml
index 77713c67..7621cd04 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,6 +9,7 @@ x-api-common: &api-common
     - POSTGRES_PASSWORD
     - POSTGRES_HOST
     - POSTGRES_PORT
+    - CORS_ALLOW_ORIGINS
     - OAUTH2_SERVER_URL
     - SENTRY_DNS
     - LOG_LEVEL