diff --git a/src/config.js b/src/config.js
index e3e95fb..2142b16 100644
--- a/src/config.js
+++ b/src/config.js
@@ -3,7 +3,10 @@ export const watchedGuildIds = ["822089558886842418", "736292509134749807"];
 export const jwtSecret = process.env.JWT_SECRET;
 export const jwtHandoffSecret = process.env.JWT_HANDOFF_SECRET;
 export const discordToken = process.env.DISCORD_TOKEN;
-export const dangerousAdminMode = true;
+export const dangerousAdminMode = false;
+export const allowedHosts = [
+    `http://localhost:${mainHttpListenPort}`
+];
 export const logContextMap = {
     DiscordClient: {
         log: true,
diff --git a/src/routes/api.js b/src/routes/api.js
index 05bc2d8..7657101 100644
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -1,6 +1,6 @@
 import express from "express";
 import { guildMap, logger } from "../common.js";
-import { dangerousAdminMode } from "../config.js";
+import { allowedHosts, dangerousAdminMode } from "../config.js";
 import { checkAuth, createHandoffToken, createToken, decodeHandoffToken } from "../tokens.js";
 import { v4 } from "uuid";
 import { gatewayServer } from "../commonservers.js";
@@ -9,6 +9,19 @@ const error = logger("error", "API");
 
 const router = express();
 
+// https://stackoverflow.com/questions/24897801/enable-access-control-allow-origin-for-multiple-domains-in-node-js
+router.use((req, res, next) => {
+    const allowedOrigins = allowedHosts;
+    const origin = req.headers.origin;
+    if (allowedOrigins.includes(origin)) {
+        res.setHeader("Access-Control-Allow-Origin", origin);
+    }
+    res.header("Access-Control-Allow-Methods", "GET, OPTIONS");
+    res.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    res.header("Access-Control-Allow-Credentials", false);
+    return next();
+});
+
 router.get("/", (req, res) => {
     res.status(200).send({ error: false, message: "SUCCESS_API_OK" });
 });