diff --git a/config.json.example b/config.json.example
index 9e3daa2b5..77a147d0c 100644
--- a/config.json.example
+++ b/config.json.example
@@ -82,6 +82,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "",
         "password": ""
     },
diff --git a/config_binance.json.example b/config_binance.json.example
index b45e69bba..82943749d 100644
--- a/config_binance.json.example
+++ b/config_binance.json.example
@@ -87,6 +87,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "",
         "password": ""
     },
diff --git a/config_full.json.example b/config_full.json.example
index 5b8fa256b..e1be01690 100644
--- a/config_full.json.example
+++ b/config_full.json.example
@@ -124,6 +124,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "freqtrader",
         "password": "SuperSecurePassword"
     },
diff --git a/config_kraken.json.example b/config_kraken.json.example
index 7e4001ff3..fb983a4a3 100644
--- a/config_kraken.json.example
+++ b/config_kraken.json.example
@@ -93,6 +93,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "",
         "password": ""
     },
diff --git a/docs/rest-api.md b/docs/rest-api.md
index 33f62f884..a8d902b53 100644
--- a/docs/rest-api.md
+++ b/docs/rest-api.md
@@ -13,6 +13,7 @@ Sample configuration:
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "Freqtrader",
         "password": "SuperSecret1!"
     },
@@ -232,3 +233,26 @@ Since the access token has a short timeout (15 min) - the `token/refresh` reques
 > curl -X POST --header "Authorization: Bearer ${refresh_token}"http://localhost:8080/api/v1/token/refresh
 {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODkxMTk5NzQsIm5iZiI6MTU4OTExOTk3NCwianRpIjoiMDBjNTlhMWUtMjBmYS00ZTk0LTliZjAtNWQwNTg2MTdiZDIyIiwiZXhwIjoxNTg5MTIwODc0LCJpZGVudGl0eSI6eyJ1IjoiRnJlcXRyYWRlciJ9LCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.1seHlII3WprjjclY6DpRhen0rqdF4j6jbvxIhUFaSbs"}
 ```
+
+## CORS
+
+All web-based frontends are subject to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) - Cross-Origin Resource Sharing.
+Since most of the requests to the Freqtrade API must be authenticated, a proper CORS policy is key to avoid security problems.
+Also, the standard disallows `*` CORS policies for requests with credentials, so this setting must be set appropriately.
+
+Users can configure this themselves via the `CORS_origins` configuration setting.
+It consists of a list of allowed sites that are allowed to consume resources from the bot's API.
+
+Assuming your application is deployed as `https://frequi.freqtrade.io/home/` - this would mean that the following configuration becomes necessary:
+
+```jsonc
+{
+    //...
+    "jwt_secret_key": "somethingrandom",
+    "CORS_origins": ["https://frequi.freqtrade.io"],
+    //...
+}
+```
+
+!!! Note
+    We strongly recommend to also set `jwt_secret_key` to something random and known only to yourself to avoid unauthorized access to your bot.
diff --git a/freqtrade/constants.py b/freqtrade/constants.py
index 92824f4c4..2cfff07cd 100644
--- a/freqtrade/constants.py
+++ b/freqtrade/constants.py
@@ -222,6 +222,8 @@ CONF_SCHEMA = {
                 },
                 'username': {'type': 'string'},
                 'password': {'type': 'string'},
+                'jwt_secret_key': {'type': 'string'},
+                'CORS_origins': {'type': 'array', 'items': {'type': 'string'}},
                 'verbosity': {'type': 'string', 'enum': ['error', 'info']},
             },
             'required': ['enabled', 'listen_ip_address', 'listen_port', 'username', 'password']
diff --git a/freqtrade/rpc/api_server.py b/freqtrade/rpc/api_server.py
index f424bea92..a2cef9a98 100644
--- a/freqtrade/rpc/api_server.py
+++ b/freqtrade/rpc/api_server.py
@@ -90,7 +90,9 @@ class ApiServer(RPC):
         self._config = freqtrade.config
         self.app = Flask(__name__)
         self._cors = CORS(self.app,
-                          resources={r"/api/*": {"supports_credentials": True, }}
+                          resources={r"/api/*": {
+                              "supports_credentials": True,
+                              "origins": self._config['api_server'].get('CORS_origins', [])}}
                           )
 
         # Setup the Flask-JWT-Extended extension
diff --git a/freqtrade/templates/base_config.json.j2 b/freqtrade/templates/base_config.json.j2
index 118ae348b..b362690f9 100644
--- a/freqtrade/templates/base_config.json.j2
+++ b/freqtrade/templates/base_config.json.j2
@@ -59,6 +59,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "",
         "password": ""
     },
diff --git a/tests/rpc/test_rpc_apiserver.py b/tests/rpc/test_rpc_apiserver.py
index 8e73eacf8..0acb31282 100644
--- a/tests/rpc/test_rpc_apiserver.py
+++ b/tests/rpc/test_rpc_apiserver.py
@@ -24,6 +24,7 @@ def botclient(default_conf, mocker):
     default_conf.update({"api_server": {"enabled": True,
                                         "listen_ip_address": "127.0.0.1",
                                         "listen_port": 8080,
+                                        "CORS_origins": ['http://example.com'],
                                         "username": _TEST_USER,
                                         "password": _TEST_PASS,
                                         }})
@@ -40,13 +41,13 @@ def client_post(client, url, data={}):
                        content_type="application/json",
                        data=data,
                        headers={'Authorization': _basic_auth_str(_TEST_USER, _TEST_PASS),
-                                'Origin': 'example.com'})
+                                'Origin': 'http://example.com'})
 
 
 def client_get(client, url):
     # Add fake Origin to ensure CORS kicks in
     return client.get(url, headers={'Authorization': _basic_auth_str(_TEST_USER, _TEST_PASS),
-                                    'Origin': 'example.com'})
+                                    'Origin': 'http://example.com'})
 
 
 def assert_response(response, expected_code=200, needs_cors=True):
@@ -54,6 +55,7 @@ def assert_response(response, expected_code=200, needs_cors=True):
     assert response.content_type == "application/json"
     if needs_cors:
         assert ('Access-Control-Allow-Credentials', 'true') in response.headers._list
+        assert ('Access-Control-Allow-Origin', 'http://example.com') in response.headers._list
 
 
 def test_api_not_found(botclient):
@@ -110,7 +112,7 @@ def test_api_token_login(botclient):
     rc = client.get(f"{BASE_URI}/count",
                     content_type="application/json",
                     headers={'Authorization': f'Bearer {rc.json["access_token"]}',
-                             'Origin': 'example.com'})
+                             'Origin': 'http://example.com'})
     assert_response(rc)
 
 
@@ -122,7 +124,7 @@ def test_api_token_refresh(botclient):
                      content_type="application/json",
                      data=None,
                      headers={'Authorization': f'Bearer {rc.json["refresh_token"]}',
-                              'Origin': 'example.com'})
+                              'Origin': 'http://example.com'})
     assert_response(rc)
     assert 'access_token' in rc.json
     assert 'refresh_token' not in rc.json