diff --git a/deploy/default.conf b/deploy/default.conf
index e4e1d5f527e6..b53643939fd8 100644
--- a/deploy/default.conf
+++ b/deploy/default.conf
@@ -40,6 +40,7 @@ http {
       '"content_type":"$content_type",'
       '"useragent":"$http_user_agent",'
       '"referrer":"$http_referer",'
+      '"origin":"$http_origin",'
       '"x_forwarded_for":"$http_x_forwarded_for",'
       '"url":"$request_uri",'
       '"version":"$server_protocol",'
diff --git a/label_studio/core/settings/base.py b/label_studio/core/settings/base.py
index 4dc9a048fc24..34e242189e1d 100644
--- a/label_studio/core/settings/base.py
+++ b/label_studio/core/settings/base.py
@@ -275,7 +275,15 @@
     '127.0.0.1',
     'localhost',
 ]
-CORS_ORIGIN_ALLOW_ALL = True
+
+# Typical secure configuration is simply set CORS_ALLOW_ALL_ORIGINS = False in the env
+if allowed_origins := get_env_list('CORS_ALLOWED_ORIGINS'):
+    CORS_ALLOWED_ORIGINS = allowed_origins
+elif allowed_origin_regexes := get_env_list('CORS_ALLOWED_ORIGIN_REGEXES'):
+    CORS_ALLOWED_ORIGIN_REGEXES = allowed_origin_regexes
+else:
+    CORS_ALLOW_ALL_ORIGINS = get_bool_env('CORS_ALLOW_ALL_ORIGINS', True)
+
 CORS_ALLOW_METHODS = [
     'DELETE',
     'GET',
diff --git a/poetry.lock b/poetry.lock
index b6441cd53a92..e33b517016d3 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -760,18 +760,19 @@ six = "*"
 
 [[package]]
 name = "django-cors-headers"
-version = "3.6.0"
+version = "4.7.0"
 description = "django-cors-headers is a Django application for handling the server headers required for Cross-Origin Resource Sharing (CORS)."
 optional = false
-python-versions = ">=3.6"
+python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "django-cors-headers-3.6.0.tar.gz", hash = "sha256:5665fc1b1aabf1b678885cf6f8f8bd7da36ef0a978375e767d491b48d3055d8f"},
-    {file = "django_cors_headers-3.6.0-py3-none-any.whl", hash = "sha256:ba898dd478cd4be3a38ebc3d8729fa4d044679f8c91b2684edee41129d7e968a"},
+    {file = "django_cors_headers-4.7.0-py3-none-any.whl", hash = "sha256:f1c125dcd58479fe7a67fe2499c16ee38b81b397463cf025f0e2c42937421070"},
+    {file = "django_cors_headers-4.7.0.tar.gz", hash = "sha256:6fdf31bf9c6d6448ba09ef57157db2268d515d94fc5c89a0a1028e1fc03ee52b"},
 ]
 
 [package.dependencies]
-Django = ">=2.2"
+asgiref = ">=3.6"
+django = ">=4.2"
 
 [[package]]
 name = "django-csp"
@@ -4950,4 +4951,4 @@ uwsgi = ["pyuwsgi", "uwsgitop"]
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.10,<4"
-content-hash = "88140370916383f3045ee7dddba219ddc7fb5a3133e932edcccb2f305d921c67"
+content-hash = "bd6b7cec643037a5a8f5c5f0ed6e8b9f5ced3f4a6db41bc63d4d5488fcf58b2b"
diff --git a/pyproject.toml b/pyproject.toml
index e3a26dae1649..66e046e1335d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -167,7 +167,7 @@ django-environ = "0.10.0"
 django-filter = "24.3"
 django-model-utils = "4.1.1"
 django-rq = "^2.10.2"
-django-cors-headers = "3.6.0"
+django-cors-headers = "4.7.0"
 django-extensions = "3.2.3"
 django-user-agents = "0.4.0"
 django-ranged-fileresponse = ">=0.1.2"