diff --git a/argo/config.py.example b/argo/config.py.example
index 7e9b465..37a264f 100644
--- a/argo/config.py.example
+++ b/argo/config.py.example
@@ -11,3 +11,9 @@ SQL_USER = "postgres"  # name of the application database user (string)
 SQL_PASSWORD = "postgres"  # password for the application database (string)
 SQL_HOST = "argo-db"  # host for the application database (string)
 SQL_PORT = 5432  # port on which the application database can be reached (integer)
+USE_X_FORWARDED_HOST=True # Whether the application is behind a reverse proxy
+USE_X_FORWARDED_PORT=True # Whether the application is behind a reveres proxy on another port (e.g. HTTPS?)
+SECURE_PROXY_SSL_HEADER=['HTTP_X_FORWARDED_PROTO', 'https'] # What header should be considered to respond with HTTPS urls
+DJANGO_CORS_ALLOW_ALL_ORIGINS=False # Legacy (risky) setting to allow all CORS origins
+DJANGO_CORS_ALLOWED_ORIGINS=["http://localhost", "http://localhost:3000"] # A list of allowed CORS origins
+
diff --git a/argo/settings.py b/argo/settings.py
index 5398b18..f98f332 100644
--- a/argo/settings.py
+++ b/argo/settings.py
@@ -152,6 +152,7 @@
 }
 
 # CORS settings
-CORS_ORIGIN_ALLOW_ALL = True
+CORS_ALLOW_ALL_ORIGINS = config.DJANGO_CORS_ALLOW_ALL_ORIGINS
+CORS_ALLOWED_ORIGINS = config.DJANGO_CORS_ALLOWED_ORIGINS
 
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'