diff --git a/config.json.example b/config.json.example
index 9e3daa2b5..77a147d0c 100644
--- a/config.json.example
+++ b/config.json.example
@@ -82,6 +82,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "",
         "password": ""
     },
diff --git a/config_binance.json.example b/config_binance.json.example
index b45e69bba..82943749d 100644
--- a/config_binance.json.example
+++ b/config_binance.json.example
@@ -87,6 +87,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "",
         "password": ""
     },
diff --git a/config_full.json.example b/config_full.json.example
index 1fd1b44a5..3a8667da4 100644
--- a/config_full.json.example
+++ b/config_full.json.example
@@ -123,6 +123,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "freqtrader",
         "password": "SuperSecurePassword"
     },
diff --git a/config_kraken.json.example b/config_kraken.json.example
index 7e4001ff3..fb983a4a3 100644
--- a/config_kraken.json.example
+++ b/config_kraken.json.example
@@ -93,6 +93,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "",
         "password": ""
     },
diff --git a/docs/rest-api.md b/docs/rest-api.md
index 33f62f884..630c952b4 100644
--- a/docs/rest-api.md
+++ b/docs/rest-api.md
@@ -13,6 +13,7 @@ Sample configuration:
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "Freqtrader",
         "password": "SuperSecret1!"
     },
@@ -232,3 +233,26 @@ Since the access token has a short timeout (15 min) - the `token/refresh` reques
 > curl -X POST --header "Authorization: Bearer ${refresh_token}"http://localhost:8080/api/v1/token/refresh
 {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODkxMTk5NzQsIm5iZiI6MTU4OTExOTk3NCwianRpIjoiMDBjNTlhMWUtMjBmYS00ZTk0LTliZjAtNWQwNTg2MTdiZDIyIiwiZXhwIjoxNTg5MTIwODc0LCJpZGVudGl0eSI6eyJ1IjoiRnJlcXRyYWRlciJ9LCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.1seHlII3WprjjclY6DpRhen0rqdF4j6jbvxIhUFaSbs"}
 ```
+
+## CORS
+
+All web-based frontends are subject to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) - Cross-Origin Resource Sharing.
+Since most request to the Freqtrade API must be authenticated, a proper CORS policy is key to avoid security problems.
+Also, the Standard disallows `*` CORS policies for requests with credentials, so this setting must be done appropriately.
+
+Users can configure this themselfs via the `CORS_origins` configuration setting.
+It consists of a list of allowed sites that are allowed to consume resources from the bot's API.
+
+Assuming your Application would be deployed as `https://frequi.freqtrade.io/home/` - this would mean that the following configuration becomes necessary:
+
+```jsonc
+{
+    //...
+    "jwt_secret_key": "somethingrandom",
+    "CORS_origins": ["https://frequi.freqtrade.io"],
+    //...
+}
+```
+
+!!! Note
+    We strongly recommend to also set `jwt_secret_key` to something random and known only to yourself to avoid unauthorized access to your bot.
diff --git a/freqtrade/constants.py b/freqtrade/constants.py
index 6741e0605..1f8944ed9 100644
--- a/freqtrade/constants.py
+++ b/freqtrade/constants.py
@@ -221,6 +221,8 @@ CONF_SCHEMA = {
                 },
                 'username': {'type': 'string'},
                 'password': {'type': 'string'},
+                'jwt_secret_key': {'type': 'string'},
+                'CORS_origins': {'type': 'array', 'items': {'type': 'string'}},
                 'verbosity': {'type': 'string', 'enum': ['error', 'info']},
             },
             'required': ['enabled', 'listen_ip_address', 'listen_port', 'username', 'password']
diff --git a/freqtrade/rpc/api_server.py b/freqtrade/rpc/api_server.py
index f424bea92..a2cef9a98 100644
--- a/freqtrade/rpc/api_server.py
+++ b/freqtrade/rpc/api_server.py
@@ -90,7 +90,9 @@ class ApiServer(RPC):
         self._config = freqtrade.config
         self.app = Flask(__name__)
         self._cors = CORS(self.app,
-                          resources={r"/api/*": {"supports_credentials": True, }}
+                          resources={r"/api/*": {
+                              "supports_credentials": True,
+                              "origins": self._config['api_server'].get('CORS_origins', [])}}
                           )
 
         # Setup the Flask-JWT-Extended extension
diff --git a/freqtrade/templates/base_config.json.j2 b/freqtrade/templates/base_config.json.j2
index 118ae348b..b362690f9 100644
--- a/freqtrade/templates/base_config.json.j2
+++ b/freqtrade/templates/base_config.json.j2
@@ -59,6 +59,7 @@
         "listen_port": 8080,
         "verbosity": "info",
         "jwt_secret_key": "somethingrandom",
+        "CORS_origins": [],
         "username": "",
         "password": ""
     },