diff -ru dnsdist-1.9.11.orig/dnsdist-lua.cc dnsdist-1.9.11/dnsdist-lua.cc
--- dnsdist-1.9.11.orig/dnsdist-lua.cc	2025-09-18 09:10:23.000000000 +0200
+++ dnsdist-1.9.11/dnsdist-lua.cc	2026-02-23 14:39:35.855943043 +0100
@@ -1129,6 +1129,7 @@
     bool statsRequireAuthentication{true};
     bool apiRequiresAuthentication{true};
     bool dashboardRequiresAuthentication{true};
+    bool allowCrossOriginRequests{false};
     int maxConcurrentConnections = 0;
 
     if (getOptionalValue<std::string>(vars, "password", password) > 0) {
@@ -1169,6 +1170,10 @@
       setWebserverDashboardRequiresAuthentication(dashboardRequiresAuthentication);
     }
 
+    if (getOptionalValue<bool>(vars, "allowCrossOriginRequests", allowCrossOriginRequests) > 0) {
+      setWebserverAllowCrossOriginRequests(allowCrossOriginRequests);
+    }
+
     if (getOptionalIntegerValue("setWebserverConfig", vars, "maxConcurrentConnections", maxConcurrentConnections) > 0) {
       setWebserverMaxConcurrentConnections(maxConcurrentConnections);
     }
diff -ru dnsdist-1.9.11.orig/dnsdist-web.cc dnsdist-1.9.11/dnsdist-web.cc
--- dnsdist-1.9.11.orig/dnsdist-web.cc	2025-09-18 09:10:23.000000000 +0200
+++ dnsdist-1.9.11/dnsdist-web.cc	2026-02-23 14:39:35.857843626 +0100
@@ -57,6 +57,7 @@
   bool apiRequiresAuthentication{true};
   bool dashboardRequiresAuthentication{true};
   bool statsRequireAuthentication{true};
+  bool allowCrossOriginRequests{false}; // Whether the webserver / API allows cross-origin requests
 };
 
 bool g_apiReadWrite{false};
@@ -391,10 +392,13 @@
       resp.headers["Access-Control-Allow-Headers"] = "Authorization, X-API-Key";
     }
 
-    resp.headers["Access-Control-Allow-Origin"] = origin->second;
+    const auto allowCrossOrigin = g_webserverConfig.lock()->allowCrossOriginRequests;
+    if (allowCrossOrigin) {
+      resp.headers["Access-Control-Allow-Origin"] = origin->second;
 
-    if (isAStatsRequest(req) || isAnAPIRequestAllowedWithWebAuth(req)) {
-      resp.headers["Access-Control-Allow-Credentials"] = "true";
+      if (isAStatsRequest(req) || isAnAPIRequestAllowedWithWebAuth(req)) {
+        resp.headers["Access-Control-Allow-Credentials"] = "true";
+      }
     }
   }
 }
@@ -1957,6 +1961,11 @@
   g_webserverConfig.lock()->dashboardRequiresAuthentication = require;
 }
 
+void setWebserverAllowCrossOriginRequests(bool allow)
+{
+  g_webserverConfig.lock()->allowCrossOriginRequests = allow;
+}
+
 void setWebserverMaxConcurrentConnections(size_t max)
 {
   s_connManager.setMaxConcurrentConnections(max);
diff -ru dnsdist-1.9.11.orig/dnsdist-web.hh dnsdist-1.9.11/dnsdist-web.hh
--- dnsdist-1.9.11.orig/dnsdist-web.hh	2025-09-18 09:10:23.000000000 +0200
+++ dnsdist-1.9.11/dnsdist-web.hh	2026-02-23 14:39:35.858453508 +0100
@@ -11,6 +11,7 @@
 void setWebserverDashboardRequiresAuthentication(bool);
 void setWebserverStatsRequireAuthentication(bool);
 void setWebserverMaxConcurrentConnections(size_t);
+void setWebserverAllowCrossOriginRequests(bool);
 
 void dnsdistWebserverThread(int sock, const ComboAddress& local);