diff --git a/app/api/api_root.rb b/app/api/api_root.rb
index e36e21226..6f2e2fe70 100644
--- a/app/api/api_root.rb
+++ b/app/api/api_root.rb
@@ -10,9 +10,6 @@ class ApiRoot < Grape::API
   format :json
 
   before do
-    header['Access-Control-Allow-Origin'] = '*'
-    header['Access-Control-Request-Method'] = '*'
-
     Thread.current.thread_variable_set(:ip, request.ip)
   end
 
diff --git a/config/application.rb b/config/application.rb
index fe280a289..36e403e43 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -244,10 +244,27 @@ def self.fetch_boolean_env(name)
       Rails.root.join('app/models/d2l')
 
     # CORS config
+    # Configure a strict allowlist. Override per environment via:
+    # CORS_ALLOWED_ORIGINS="http://localhost:4200,https://frontend.example.edu"
+    default_cors_origins = [
+      'http://localhost:4200',
+      "https://#{config.institution[:host]}"
+    ].uniq
+    allowed_cors_origins = ENV.fetch('CORS_ALLOWED_ORIGINS', default_cors_origins.join(','))
+                              .split(',')
+                              .map(&:strip)
+                              .reject(&:empty?)
+                              .uniq
+
     config.middleware.insert_before Warden::Manager, Rack::Cors do
       allow do
-        origins '*'
-        resource '*', headers: :any, methods: %i(get post put delete options)
+        origins do |source, _env|
+          allowed_cors_origins.include?(source)
+        end
+
+        resource '*',
+                 headers: %w[Content-Type Authorization Accept],
+                 methods: %i[get post put delete options]
       end
     end