diff --git a/conf/nginx/yunohost_api.conf.inc b/conf/nginx/yunohost_api.conf.inc
index 8133624b3..9cb4ff00d 100644
--- a/conf/nginx/yunohost_api.conf.inc
+++ b/conf/nginx/yunohost_api.conf.inc
@@ -26,18 +26,6 @@ location = /yunohost/api/error/502 {
 
 location /yunohost/portalapi/ {
 
-    # FIXME FIXME FIXME : we should think about what we really want here ... 
-    more_set_headers "Access-Control-Allow-Origin: $http_origin";
-    more_set_headers "Access-Control-Allow-Methods: GET, HEAD, POST, OPTIONS, DELETE";
-    more_set_headers "Access-Control-Allow-Headers: Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With";
-    more_set_headers "Access-Control-Allow-Credentials: true";
-
-    if ($request_method = 'OPTIONS') {
-        more_set_headers "Content-Type: text/plain; charset=utf-8";
-        more_set_headers "Content-Length: 0";
-        return 204;
-    }
-
     proxy_read_timeout 5s;
     proxy_pass http://127.0.0.1:6788/;
     proxy_http_version 1.1;
diff --git a/src/__init__.py b/src/__init__.py
index 146485d2d..99f3739bf 100644
--- a/src/__init__.py
+++ b/src/__init__.py
@@ -50,6 +50,13 @@ def cli(debug, quiet, output_as, timeout, args, parser):
 
 
 def api(debug, host, port):
+
+    allowed_cors_origins = []
+    allowed_cors_origins_file = "/etc/yunohost/.admin-api-allowed-cors-origins"
+
+    if os.path.exists(allowed_cors_origins_file):
+        allowed_cors_origins = open(allowed_cors_origins_file).read().strip().split(",")
+
     init_logging(interface="api", debug=debug)
 
     def is_installed_api():
@@ -64,12 +71,19 @@ def api(debug, host, port):
         actionsmap="/usr/share/yunohost/actionsmap.yml",
         locales_dir="/usr/share/yunohost/locales/",
         routes={("GET", "/installed"): is_installed_api},
+        allowed_cors_origins=allowed_cors_origins,
     )
     sys.exit(ret)
 
 
 def portalapi(debug, host, port):
 
+    allowed_cors_origins = []
+    allowed_cors_origins_file = "/etc/yunohost/.portal-api-allowed-cors-origins"
+
+    if os.path.exists(allowed_cors_origins_file):
+        allowed_cors_origins = open(allowed_cors_origins_file).read().strip().split(",")
+
     # FIXME : is this the logdir we want ? (yolo to work around permission issue)
     init_logging(interface="portalapi", debug=debug, logdir="/var/log")
 
@@ -77,7 +91,8 @@ def portalapi(debug, host, port):
         host=host,
         port=port,
         actionsmap="/usr/share/yunohost/actionsmap-portal.yml",
-        locales_dir="/usr/share/yunohost/locales/"
+        locales_dir="/usr/share/yunohost/locales/",
+        allowed_cors_origins=allowed_cors_origins,
     )
     sys.exit(ret)