diff --git a/atst/app.py b/atst/app.py
index 83163a88..346ffe8b 100644
--- a/atst/app.py
+++ b/atst/app.py
@@ -137,6 +137,7 @@ def set_default_headers(app):  # pragma: no cover
         response.headers["X-Content-Type-Options"] = "nosniff"
         response.headers["X-Frame-Options"] = "SAMEORIGIN"
         response.headers["X-XSS-Protection"] = "1; mode=block"
+        response.headers["Access-Control-Allow-Origin"] = app.config.get("CDN_ORIGIN")
 
         if ENV == "dev":
             response.headers[
diff --git a/config/base.ini b/config/base.ini
index 105aeb4c..76e0f03e 100644
--- a/config/base.ini
+++ b/config/base.ini
@@ -2,6 +2,7 @@
 ASSETS_URL
 CAC_URL = http://localhost:8000/login-redirect
 CA_CHAIN = ssl/server-certs/ca-chain.pem
+CDN_ORIGIN=http://localhost:8000
 CELERY_DEFAULT_QUEUE=celery
 CLASSIFIED = false
 CONTRACT_END_DATE = 2022-09-14
diff --git a/deploy/azure/atst-envvars-configmap.yml b/deploy/azure/atst-envvars-configmap.yml
index 61f81fa8..4870e6a6 100644
--- a/deploy/azure/atst-envvars-configmap.yml
+++ b/deploy/azure/atst-envvars-configmap.yml
@@ -7,6 +7,7 @@ metadata:
 data:
   ASSETS_URL: https://atat-cdn.azureedge.net/
   CELERY_DEFAULT_QUEUE: celery-master
+  CDN_ORIGIN: https://azure.atat.code.mil
   CSP: azure
   FLASK_ENV: dev
   LOG_JSON: "true"
diff --git a/deploy/overlays/staging/envvars.yml b/deploy/overlays/staging/envvars.yml
index 86ea42b7..99721ec9 100644
--- a/deploy/overlays/staging/envvars.yml
+++ b/deploy/overlays/staging/envvars.yml
@@ -14,6 +14,7 @@ metadata:
   name: atst-envvars
 data:
   ASSETS_URL: https://atat-cdn-staging.azureedge.net/
+  CDN_ORIGIN: https://staging.atat.code.mil
   CELERY_DEFAULT_QUEUE: celery-staging
   FLASK_ENV: staging
   STATIC_URL: https://atat-cdn-staging.azureedge.net/static/