diff --git a/www-api/nginx/nginx.conf b/www-api/nginx/nginx.conf
index 7b62df67..878d853c 100644
--- a/www-api/nginx/nginx.conf
+++ b/www-api/nginx/nginx.conf
@@ -35,7 +35,6 @@ http {
                 log_not_found off;
         }
 
-        add_header Access-Control-Allow-Origin *;
         location / {
                  try_files $uri $uri/ /index.php$is_args$args;
         }
@@ -44,6 +43,53 @@ http {
                 fastcgi_pass   host.docker.internal:9999;
                 fastcgi_param  SCRIPT_FILENAME /opt/mainsite/wrenchboard/www-api/public$fastcgi_script_name;
                 include        fastcgi_params;
+
+                # cors configuration
+                # whitelist of allowed domains, via a regular expression
+                # if ($http_origin ~* (http://localhost(:[0-9]+)?)) {
+                ##if ($http_origin ~* .*) { # yeah, for local development. tailor your regex as needed
+                     set $cors "true";
+                ##}
+
+                # apparently, the following three if statements create a flag for "compound conditions"
+                if ($request_method = OPTIONS) {
+                    set $cors "${cors}options";
+                }
+
+                if ($request_method = GET) {
+                    set $cors "${cors}get";
+                }
+
+                if ($request_method = POST) {
+                    set $cors "${cors}post";
+                }
+
+                # now process the flag
+                if ($cors = 'trueget') {
+                    #add_header 'Access-Control-Allow-Origin' "$http_origin";
+                    add_header 'Access-Control-Allow-Origin' "*";
+                    add_header 'Access-Control-Allow-Credentials' 'true';
+                }
+
+                if ($cors = 'truepost') {
+                    #add_header 'Access-Control-Allow-Origin' "$http_origin";
+                    add_header 'Access-Control-Allow-Origin' "*";
+                    add_header 'Access-Control-Allow-Credentials' 'true';
+                }
+
+                if ($cors = 'trueoptions') {
+                    #add_header 'Access-Control-Allow-Origin' "$http_origin";
+                    add_header 'Access-Control-Allow-Origin' "*";
+                    add_header 'Access-Control-Allow-Credentials' 'true';
+
+                    add_header 'Access-Control-Max-Age' 1728000; # cache preflight value for 20 days
+                    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+                    add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
+
+                    add_header 'Content-Length' 0;
+                    add_header 'Content-Type' 'text/plain charset=UTF-8';
+                    return 204;
+                }
         }
 
         error_page 404 /index.php;