diff --git a/backend/.env.example b/backend/.env.example
index b24f44c..acba733 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -2,6 +2,12 @@ CLIPPER_ENV=development # or production
 
 CLIPPER_BIND_ADDR=localhost:8888
 
+# Required if serving grpc-web, assets, etc from a different hostname.
+# Multiple domains can be separated with commas.
+#
+# Example: http://localhost:3000
+CLIPPER_CORS_ALLOWED_ORIGINS=
+
 # PostgreSQL connection string.
 CLIPPER_DATABASE_URL=
 
diff --git a/backend/server/server.go b/backend/server/server.go
index a926063..6d2a8f2 100644
--- a/backend/server/server.go
+++ b/backend/server/server.go
@@ -99,8 +99,16 @@ func Start(options Options) error {
 	mediaSetController := &mediaSetServiceController{mediaSetService: mediaSetService, logger: options.Logger.Sugar().Named("controller")}
 	pbmediaset.RegisterMediaSetServiceServer(grpcServer, mediaSetController)
 
-	// TODO: implement CORS headers
-	grpcHandler := grpcweb.WrapServer(grpcServer, grpcweb.WithOriginFunc(func(string) bool { return true }))
+	// TODO: convert CORSAllowedOrigins to a map[string]struct{}
+	originChecker := func(origin string) bool {
+		for _, s := range conf.CORSAllowedOrigins {
+			if origin == s {
+				return true
+			}
+		}
+		return false
+	}
+	grpcHandler := grpcweb.WrapServer(grpcServer, grpcweb.WithOriginFunc(originChecker))
 	httpHandler := newHTTPHandler(grpcHandler, mediaSetService, conf, options.Logger.Sugar().Named("httpHandler"))
 
 	httpServer := http.Server{