diff --git a/.env.example b/.env.example
index c1860f7..01b011d 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,9 @@
-HTTP_PORT=9283
+# Host and port this server will listen on
 HTTP_HOST=localhost
+HTTP_PORT=9283
+# Allowed origins for POST requests; needed for web games; if empty or missing, defaults to '*'
+HTTP_POST_ALLOWED_ORIGINS=https://your.domain.com
+# Database connection settings
 DATABASE_NAME=game_logger
 DATABASE_HOST=localhost
 DATABASE_USER=game_logger
diff --git a/src/server/index.ts b/src/server/index.ts
index 6c89852..b3105a7 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -11,11 +11,6 @@ const app = express();
 // serve che client files
 app.use(express.static("./dist/client"));
 
-// activate cors, but only if in dev mode (in prodution, the client is served by the same server)
-if (process.env.TS_NODE_DEV) {
-  app.use(cors());
-}
-
 // enable body parser to parse json and urlencoded data
 app.use(bodyParser.urlencoded({ extended: false }));
 app.use(bodyParser.json());
diff --git a/src/server/post-message.ts b/src/server/post-message.ts
index 18771dc..be14eb8 100644
--- a/src/server/post-message.ts
+++ b/src/server/post-message.ts
@@ -1,12 +1,18 @@
 import type { Express } from "express";
 import multer from "multer";
-import cors from "cors";
+import cors, { type CorsOptions } from "cors";
 import { addEntry } from "./db";
 
 const upload = multer();
 
+const postCorsOptions: CorsOptions = {
+  origin: (process.env.HTTP_POST_ALLOWED_ORIGINS || "*").split(","),
+  methods: ["POST"],
+};
+
 export function registerPostMessage(app: Express) {
-  app.post("/", cors(), (req, res) => {
+  app.options("/", cors(postCorsOptions));
+  app.post("/", cors(postCorsOptions), (req, res) => {
     console.log("\nReceived logging message:");
     const metadata: [string, string][] = [];
     let gameName: string = "";