diff --git a/packages/api/src/server.js b/packages/api/src/server.js
index cd738deeff..6f059ec17e 100644
--- a/packages/api/src/server.js
+++ b/packages/api/src/server.js
@@ -253,6 +253,19 @@ const rejectBodyInGetAndDelete = (req, res, next) => {
   next();
 };
 
+const getAllowedOrigin = () => {
+  switch (environment) {
+    case 'development':
+      return 'http://localhost:3000';
+    case 'integration':
+      return 'https://beta.litefarm.org';
+    case 'production':
+      return 'https://app.litefarm.org';
+    default:
+      return 'https://app.litefarm.org';
+  }
+};
+
 app
   .use(applyExpressJSON)
   .use(express.urlencoded({ extended: true }))
@@ -261,7 +274,8 @@ app
   // prevent CORS errors
   .use(cors())
   .use((req, res, next) => {
-    res.header('Access-Control-Allow-Origin', '*');
+    const origin = getAllowedOrigin();
+    res.header('Access-Control-Allow-Origin', origin);
     res.header(
       'Access-Control-Allow-Headers',
       'Origin, X-Requested-With, Content-Type, Accept, Authorization',
diff --git a/packages/webapp/nginx.conf b/packages/webapp/nginx.conf
index 68d55db9a7..7d19ff490a 100644
--- a/packages/webapp/nginx.conf
+++ b/packages/webapp/nginx.conf
@@ -93,7 +93,7 @@ http {
 
           proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
           proxy_pass_request_headers      on;
-          proxy_set_header 'Access-Control-Allow-Origin' '*';
+          proxy_set_header 'Access-Control-Allow-Origin' 'https://beta.litefarm.org';
           proxy_pass http://backend:5000/;
         }
         listen 443 ssl; # managed by Certbot