diff --git a/.envdev b/.envdev
index 26aa793..50f99a0 100644
--- a/.envdev
+++ b/.envdev
@@ -1,5 +1,7 @@
 WEB_PORT=3300
 
+WEB_ORIGIN=http://localhost:3001
+
 DB_HOSTNAME=database
 DB_DATABASE=chat
 DB_USERNAME=chat
diff --git a/configure-script.js b/configure-script.js
index c5fd0ed..4d865b0 100644
--- a/configure-script.js
+++ b/configure-script.js
@@ -30,6 +30,7 @@ const question = (prompt, def = null) => {
 	//project configuration
 	const appName = await question('App Name', 'chat');
 	const appWebAddress = await question('Web Addr', `${appName}.example.com`);
+	const appWebOrigin = await question('Web Origin', `https://example.com`); //TODO: clean these up properly
 	const appPort = await question('App Port', '3300');
 
 	const appDBUser = await question('DB User', appName);
@@ -59,6 +60,7 @@ services:
       - "traefik.http.services.${appName}service.loadbalancer.server.port=${appPort}"
     environment:
       - WEB_PORT=${appPort}
+      - WEB_ORIGIN=${appWebOrigin}
       - DB_HOSTNAME=database
       - DB_DATABASE=${appName}
       - DB_USERNAME=${appDBUser}
diff --git a/package-lock.json b/package-lock.json
index 5031bdd..c430d87 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "chat-server",
-  "version": "1.2.8",
+  "version": "1.3.0",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "chat-server",
-      "version": "1.2.8",
+      "version": "1.3.0",
       "license": "ISC",
       "dependencies": {
         "cors": "^2.8.5",
diff --git a/package.json b/package.json
index b11b82b..5124b67 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "chat-server",
-  "version": "1.2.8",
+  "version": "1.3.0",
   "description": "An API centric chat server. Uses Sequelize and mariaDB by default.",
   "main": "server/server.js",
   "scripts": {
diff --git a/server/server.js b/server/server.js
index 2d07610..1d14fdc 100644
--- a/server/server.js
+++ b/server/server.js
@@ -7,14 +7,19 @@ const app = express();
 const server = require('http').Server(app);
 const io = require('socket.io')(server, {
 	cors: {
-		origin: '*'
+		origin: process.env.WEB_ORIGIN
 	}
 });
 const cors = require('cors');
 
 //config
 app.use(express.json());
-app.use(cors());
+app.use(cors({
+	credentials: true,
+	origin: [`${process.env.WEB_ORIGIN}`], //because auth-server
+	allowedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Authorization', 'Set-Cookie'],
+	exposedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Authorization', 'Set-Cookie'],
+}));
 
 //database connection
 const database = require('./database');