diff --git a/settings.schema.yaml b/settings.schema.yaml
index ba3bed7..e47fba3 100644
--- a/settings.schema.yaml
+++ b/settings.schema.yaml
@@ -31,6 +31,10 @@ $defs:
         description: Prefix for the API path (e.g. "/api/v0")
         title: App Root Path
         type: string
+      cors_allow_origin_regex:
+        default: .*
+        title: Cors Allow Origin Regex
+        type: string
       db_url:
         default: postgresql+asyncpg://postgres:postgres@localhost:5433/postgres
         example: postgresql+asyncpg://user:password@localhost:5433/db_name
diff --git a/src/api/app.py b/src/api/app.py
index a4946e9..677a061 100644
--- a/src/api/app.py
+++ b/src/api/app.py
@@ -1,5 +1,6 @@
 from fastapi import FastAPI
 from fastapi_swagger import patch_fastapi
+from starlette.middleware.cors import CORSMiddleware
 
 import src.api.logging_  # noqa: F401
 from src.api import docs
@@ -37,6 +38,15 @@
 
 patch_fastapi(app)
 
+# CORS settings
+app.add_middleware(
+    CORSMiddleware,
+    allow_origin_regex=api_settings.cors_allow_origin_regex,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
 from src.api.auth.routes import router as router_auth  # noqa: E402
 from src.api.bookings.routes import router as router_booking  # noqa: E402
 from src.api.root.routes import router as router_root  # noqa: E402
diff --git a/src/config_schema.py b/src/config_schema.py
index 9893033..18749bf 100644
--- a/src/config_schema.py
+++ b/src/config_schema.py
@@ -37,6 +37,9 @@ class Accounts(BaseModel):
 
 class ApiSettings(BaseModel):
     app_root_path: str = Field("", description='Prefix for the API path (e.g. "/api/v0")')
+    cors_allow_origin_regex: str = ".*"
+    "Allowed origins for CORS: from which domains requests to the API are allowed. Specify as a regex: `https://.*.innohassle.ru`"
+
     db_url: str = Field(
         "postgresql+asyncpg://postgres:postgres@localhost:5433/postgres",
         example="postgresql+asyncpg://user:password@localhost:5433/db_name",