diff --git a/config/discourse_defaults.conf b/config/discourse_defaults.conf
index f886093481a..9265ecfac78 100644
--- a/config/discourse_defaults.conf
+++ b/config/discourse_defaults.conf
@@ -93,7 +93,7 @@ asset_redis_url =
 
 # enable Cross-origin Resource Sharing (CORS) directly at the application level
 enable_cors = false
-cors_origin = '*'
+cors_origin = ''
 
 # enable if you really need to serve assets in prd
 serve_static_assets = false
diff --git a/config/initializers/08-rack-cors.rb b/config/initializers/08-rack-cors.rb
index e37038193b6..b59f22db7a4 100644
--- a/config/initializers/08-rack-cors.rb
+++ b/config/initializers/08-rack-cors.rb
@@ -1,24 +1,30 @@
-if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
-
+if GlobalSetting.enable_cors
   class Discourse::Cors
     def initialize(app, options = nil)
       @app = app
-      @origins = GlobalSetting.cors_origin.split(',').map(&:strip)
+      if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
+        @global_origins = GlobalSetting.cors_origin.split(',').map(&:strip)
+      end
     end
 
     def call(env)
       status, headers, body = @app.call(env)
       origin = nil
+      cors_origins = @global_origins || []
+      cors_origins += SiteSetting.cors_origins.split('|') if SiteSetting.cors_origins
 
-      if origin = env['HTTP_ORIGIN']
-        origin = nil unless @origins.include? origin
+      if cors_origins
+        if origin = env['HTTP_ORIGIN']
+          origin = nil unless cors_origins.include?(origin)
+        end
+
+        headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
+        headers['Access-Control-Allow-Credentials'] = "true"
       end
 
-      headers['Access-Control-Allow-Origin'] = origin || @origins[0]
-      headers['Access-Control-Allow-Credentials'] = "true"
       [status,headers,body]
     end
   end
 
-  Rails.configuration.middleware.insert 0, Discourse::Cors
+  Rails.configuration.middleware.use Discourse::Cors
 end
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 19f4bf2397a..08ada8ca238 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -726,6 +726,7 @@ en:
     enable_escaped_fragments: "Fall back to Google's Ajax-Crawling API if no webcrawler is detected. See https://support.google.com/webmasters/answer/174992?hl=en"
     enable_noscript_support: "Enable standard webcrawler search engine support via the noscript tag"
     allow_moderators_to_create_categories: "Allow moderators to create new categories"
+    cors_origins: "Allowed origins for cross-origin requests (CORS). Each origin must include http:// or https://. The DISCOURSE_ENABLE_CORS env variable must be set to true to enable CORS."
     top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|starred|categories|top|read|posted"
     post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply"
     post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on."
diff --git a/config/site_settings.yml b/config/site_settings.yml
index cf291118c85..c7c91b839aa 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -542,6 +542,9 @@ security:
   allow_index_in_robots_txt: true
   enable_noscript_support: true
   allow_moderators_to_create_categories: false
+  cors_origins:
+    default: ''
+    type: list
 
 onebox:
   enable_flash_video_onebox: false