diff --git a/app/src/main/java/com/kamwithk/ankiconnectandroid/routing/RouteHandler.java b/app/src/main/java/com/kamwithk/ankiconnectandroid/routing/RouteHandler.java
index 8561e9e..47acbf1 100644
--- a/app/src/main/java/com/kamwithk/ankiconnectandroid/routing/RouteHandler.java
+++ b/app/src/main/java/com/kamwithk/ankiconnectandroid/routing/RouteHandler.java
@@ -7,14 +7,17 @@
 import android.content.Context;
 import android.content.SharedPreferences;
 
+import androidx.annotation.NonNull;
 import androidx.preference.PreferenceManager;
 
 import com.kamwithk.ankiconnectandroid.ankidroid_api.IntegratedAPI;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 import fi.iki.elonen.NanoHTTPD;
 import fi.iki.elonen.router.RouterNanoHTTPD;
@@ -66,7 +69,7 @@ public NanoHTTPD.Response get(RouterNanoHTTPD.UriResource uriResource, Map<Strin
         if (parameters == null || parameters.isEmpty() && files.get("postData") == null) {
             // No data was provided in the POST request so we return a simple response
             NanoHTTPD.Response rep = newFixedLengthResponse("Ankiconnect Android is running.");
-            addCorsHeaders(context, rep);
+            addCorsHeaders(context, rep, session);
             return rep;
         }
 
@@ -78,18 +81,51 @@ public NanoHTTPD.Response get(RouterNanoHTTPD.UriResource uriResource, Map<Strin
             rep.addHeader(PRIVATE_NETWORK_ACCESS_RESPONSE, "true");
         }
 
-        addCorsHeaders(context, rep);
+        addCorsHeaders(context, rep, session);
         return rep;
     }
 
-    private void addCorsHeaders(Context context, NanoHTTPD.Response rep) {
+    private void addCorsHeaders(Context context, NanoHTTPD.Response rep, NanoHTTPD.IHTTPSession session) {
         // Add a CORS header if it is set in the preferences
         SharedPreferences sharedPreferences = PreferenceManager.getDefaultSharedPreferences(context);
-        String corsHost = sharedPreferences.getString("cors_host", "");
+        String corsHostsString = sharedPreferences.getString("cors_host", "");
+        if (corsHostsString.trim().isEmpty()) {
+            return;
+        }
+
+        Map<String, String> headers = session.getHeaders();
+        String origin = headers.get("origin");
+
+        String[] allowedHosts = corsHostsString.split("\\n");
+        List<String> normalizedAllowedHosts = Arrays.stream(allowedHosts)
+                .map(this::normalizeHost)
+                .filter(s -> !s.isEmpty())
+                .collect(Collectors.toList());
+
+        if (normalizedAllowedHosts.contains("*")) {
+            // Since "*" is in the allowed hosts, simply allow all origins
+            applyHeaders(rep, "*");
+        } else if (normalizedAllowedHosts.contains(origin)) {
+            // Request is from an origin the user trusts.
+            applyHeaders(rep, origin);
+        }
+    }
 
-        if (!corsHost.trim().equals("")) {
-            rep.addHeader("Access-Control-Allow-Origin", corsHost);
-            rep.addHeader("Access-Control-Allow-Headers", "*");
+    private void applyHeaders(NanoHTTPD.Response rep, String allowOrigin) {
+        rep.addHeader("Access-Control-Allow-Origin", allowOrigin);
+        rep.addHeader("Access-Control-Allow-Headers", "*");
+    }
+
+    // Trim and remove trailing slash from a host
+    @NonNull
+    private String normalizeHost(String host) {
+        if (host == null) {
+            return "";
+        }
+        String normalizedHost = host.trim();
+        if (normalizedHost.endsWith("/")) {
+            normalizedHost = normalizedHost.substring(0, normalizedHost.length() - 1);
         }
+        return normalizedHost;
     }
 }
diff --git a/app/src/main/res/xml/root_preferences.xml b/app/src/main/res/xml/root_preferences.xml
index cb6a008..9214b04 100644
--- a/app/src/main/res/xml/root_preferences.xml
+++ b/app/src/main/res/xml/root_preferences.xml
@@ -24,10 +24,10 @@
 
         <EditTextPreference
                 app:iconSpaceReserved="false"
-                app:dialogMessage="Enter the hostname you want to allow access from."
-                app:dialogTitle="Enter CORS Host"
+                app:dialogMessage="Enter the hostnames you want to allow access from. Each hostname should be on a new line."
+                app:dialogTitle="Enter CORS Hosts"
                 app:key="cors_host"
-                app:title="CORS Host"
+                app:title="CORS Hosts"
                 app:useSimpleSummaryProvider="true" />
 
     </PreferenceCategory>