diff --git a/src/app.ts b/src/app.ts
index 91362e3..b87d2fd 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -11,7 +11,7 @@ import { connect } from './services/client';
 import { initDb } from './services/database';
 import { initPoolDb } from './services/pool';
 import { createMessage, initiateLogger } from './services/logger';
-import { getRequestId } from './utils';
+import { getRequestId, isPermittedOrigin } from './utils';
 
 interface AppSettings {
   mongoClient?: MongoClient;
@@ -33,13 +33,19 @@ const errorHandler: ErrorRequestHandler = (err, req, res, _next) => {
   }
 };
 
-const reqHandler: RequestHandler = (req, _res, next) => {
+const reqHandler: RequestHandler = (req, res, next) => {
   const reqId = new ObjectId().toString();
   // Custom header specifically for a request ID. This ID will be used to track
   // logs related to the same request
   req.headers['req-id'] = reqId;
   const message = `Request for: ${req.url}`;
   logger.info(createMessage(message, reqId));
+
+  // allow cross origin requests from our web servers
+  const origin = req.headers.origin;
+  if (origin && isPermittedOrigin(origin)) {
+    res.append('Access-Control-Allow-Origin', origin);
+  }
   next();
 };
 
diff --git a/src/utils.ts b/src/utils.ts
index a1a65cd..3b21fc5 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -24,3 +24,21 @@ export const assertTrailingSlash = (str: string) => {
   }
   return `${str}/`;
 };
+
+const STAGING_HOSTNAME = 'netlify.app';
+const PROD_HOSTNAME = 'mongodb.com';
+
+export const isPermittedOrigin = (origin: string | undefined) => {
+  if (!origin) return false;
+  let url;
+  try {
+    url = new URL(origin);
+  } catch (err) {
+    return false;
+  }
+  return (
+    url.protocol === 'https:' &&
+    (url.hostname.split('.').slice(-2).join('.') === STAGING_HOSTNAME ||
+      url.hostname.split('.').slice(-2).join('.') === PROD_HOSTNAME)
+  );
+};