diff --git a/server/config/custom.js b/server/config/custom.js
index 4cebc225..29e6533d 100644
--- a/server/config/custom.js
+++ b/server/config/custom.js
@@ -27,7 +27,8 @@ const envToBytes = (value) => bytes(value);
 
 const envToArray = (value) => (value ? value.split(',') : []);
 
-const parsedBasedUrl = new URL(process.env.BASE_URL);
+const baseUrl = envToArray(process.env.BASE_URL)[0];
+const parsedBasedUrl = new URL(baseUrl);
 
 module.exports.custom = {
   /**
@@ -38,7 +39,7 @@ module.exports.custom = {
 
   version,
 
-  baseUrl: process.env.BASE_URL,
+  baseUrl,
   baseUrlPath: parsedBasedUrl.pathname,
   baseUrlSecure: parsedBasedUrl.protocol === 'https:',
 
@@ -94,7 +95,7 @@ module.exports.custom = {
 
   // TODO: move client base url to environment variable?
   oidcRedirectUri: `${
-    sails.config.environment === 'production' ? process.env.BASE_URL : 'http://localhost:3000'
+    sails.config.environment === 'production' ? baseUrl : 'http://localhost:3000'
   }/oidc-callback`,
 
   smtpHost: process.env.SMTP_HOST,
diff --git a/server/config/env/production.js b/server/config/env/production.js
index 010f46d9..718aee63 100644
--- a/server/config/env/production.js
+++ b/server/config/env/production.js
@@ -23,7 +23,7 @@ const { URL } = require('url');
 
 const { customLogger } = require('../../utils/logger');
 
-const parsedBasedUrl = new URL(process.env.BASE_URL);
+const origins = process.env.BASE_URL.split(',').map((baseUrl) => new URL(baseUrl).origin);
 
 module.exports = {
   /**
@@ -133,10 +133,10 @@ module.exports = {
      */
 
     cors: {
-      allRoutes: false,
-      allowOrigins: '*',
-      allowRequestHeaders: 'content-type',
-      allowCredentials: false,
+      allRoutes: true,
+      allowOrigins: origins.slice(1),
+      allowRequestHeaders: ['Authorization'],
+      allowCredentials: true,
     },
   },
 
@@ -221,7 +221,7 @@ module.exports = {
      *
      */
 
-    onlyAllowOrigins: [parsedBasedUrl.origin],
+    onlyAllowOrigins: origins,
 
     /**
      *