diff --git a/config/cors_config.yml.hudson b/config/cors_config.yml.hudson
index 4607e4af2..7f8df9e3c 100644
--- a/config/cors_config.yml.hudson
+++ b/config/cors_config.yml.hudson
@@ -4,7 +4,11 @@ default: &default
   expose: [ ETag, X-CSRF-Token ]
   max_age: 300
   allows:
-    - {origins: '*', resource: '*'}
+    - { origins: !ruby/regexp '/^https?:\/\/(127\.0\.0\.1|localhost|[a-z0-9-]+\.local)(:\d+)?$/', resource: '/users*', credentials: true }
+    - { origins: !ruby/regexp '/^https?:\/\/(127\.0\.0\.1|localhost|[a-z0-9-]+\.local)(:\d+)?$/', resource: '/oauth/*', credentials: true }
+    - { origins: '*', resource: '/api/*' }
+    - { origins: '*', resource: '/graphql' }
+
 
 development:
   <<: *default