diff --git a/src/.env.example b/src/.env.example
index b9d228f53..7e538830b 100644
--- a/src/.env.example
+++ b/src/.env.example
@@ -2,6 +2,8 @@ NODE_ENV=
 
 RPC_URL=
 SERVER_PORT=
+CORS_ORIGIN=
+CORS_METHOD=
 CONNECTION_STRING=
 TRANSLATIONS_PATH=
 PROCESS_EVENTS_DELAY=
diff --git a/src/server.js b/src/server.js
index 6e9a0b2c0..0dddba22a 100644
--- a/src/server.js
+++ b/src/server.js
@@ -16,29 +16,28 @@ import { InviteRouter } from './Invite'
 import { BidRouter, PublicationRouter } from './Listing'
 import { AuthorizationRouter } from './Authorization'
 
-env.load()
-
 const SERVER_PORT = env.get('SERVER_PORT', 5000)
+const CORS_ORIGIN = env.get('CORS_ORIGIN', '*')
+const CORS_METHOD = env.get('CORS_METHOD', '*')
 
 const app = express()
 const httpServer = http.Server(app)
 
 app.use(bodyParser.urlencoded({ extended: false, limit: '2mb' }))
 app.use(bodyParser.json())
+app.use((_, res, next) => {
+  res.setHeader('Access-Control-Allow-Origin', CORS_ORIGIN)
+  res.setHeader('Access-Control-Request-Method', CORS_METHOD)
+  res.setHeader(
+    'Access-Control-Allow-Methods',
+    'OPTIONS, GET, POST, PUT, DELETE'
+  )
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type')
 
-if (env.isDevelopment()) {
-  app.use(function(req, res, next) {
-    res.setHeader('Access-Control-Allow-Origin', '*')
-    res.setHeader('Access-Control-Request-Method', '*')
-    res.setHeader(
-      'Access-Control-Allow-Methods',
-      'OPTIONS, GET, POST, PUT, DELETE'
-    )
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type')
+  next()
+})
 
-    next()
-  })
-} else {
+if (!env.isDevelopment()) {
   // This is not ideal, but adding newrelic to development is worst
   require('newrelic')
 }