diff --git a/.changeset/93d02184/changes.json b/.changeset/93d02184/changes.json
new file mode 100644
index 00000000000..027419b18fd
--- /dev/null
+++ b/.changeset/93d02184/changes.json
@@ -0,0 +1,26 @@
+{
+  "releases": [{ "name": "@voussoir/server", "type": "minor" }],
+  "dependents": [
+    { "name": "@voussoir/test-utils", "type": "patch", "dependencies": ["@voussoir/server"] },
+    {
+      "name": "@voussoir/cypress-project-access-control",
+      "type": "patch",
+      "dependencies": ["@voussoir/test-utils", "@voussoir/server"]
+    },
+    {
+      "name": "@voussoir/cypress-project-basic",
+      "type": "patch",
+      "dependencies": ["@voussoir/test-utils", "@voussoir/server"]
+    },
+    {
+      "name": "@voussoir/cypress-project-login",
+      "type": "patch",
+      "dependencies": ["@voussoir/test-utils", "@voussoir/server"]
+    },
+    {
+      "name": "@voussoir/cypress-project-twitter-login",
+      "type": "patch",
+      "dependencies": ["@voussoir/server"]
+    }
+  ]
+}
diff --git a/.changeset/93d02184/changes.md b/.changeset/93d02184/changes.md
new file mode 100644
index 00000000000..8fbbe023ea7
--- /dev/null
+++ b/.changeset/93d02184/changes.md
@@ -0,0 +1 @@
+- Makes CORS user configurable
\ No newline at end of file
diff --git a/packages/server/WebServer/graphql.js b/packages/server/WebServer/graphql.js
index 2473fcbaf2d..3f18eb72fbf 100644
--- a/packages/server/WebServer/graphql.js
+++ b/packages/server/WebServer/graphql.js
@@ -124,7 +124,13 @@ module.exports = function createGraphQLMiddleware(keystone, { apiPath, graphiqlP
       }
     },
   });
-  server.applyMiddleware({ app, path: apiPath });
+  server.applyMiddleware({
+    app,
+    path: apiPath,
+    // Prevent ApolloServer from overriding Keystone's CORS configuration.
+    // https://www.apollographql.com/docs/apollo-server/api/apollo-server.html#ApolloServer-applyMiddleware
+    cors: false,
+  });
   if (graphiqlPath) {
     app.use(graphiqlPath, (req, res) => {
       if (req.user && req.sessionID) {
diff --git a/packages/server/WebServer/index.js b/packages/server/WebServer/index.js
index 51da846d723..d91d8213a40 100644
--- a/packages/server/WebServer/index.js
+++ b/packages/server/WebServer/index.js
@@ -23,12 +23,9 @@ module.exports = class WebServer {
       this.app.use(require('express-pino-logger')(this.config.pinoOptions));
     }
 
-    this.app.use(
-      cors({
-        origin: true,
-        credentials: true,
-      })
-    );
+    if (this.config.cors) {
+      this.app.use(cors(this.config.cors));
+    }
 
     if (this.config.authStrategy) {
       // Setup the session as the very first thing.
diff --git a/packages/server/WebServer/initConfig.js b/packages/server/WebServer/initConfig.js
index dacb9aa59c6..4ebe6c118e5 100644
--- a/packages/server/WebServer/initConfig.js
+++ b/packages/server/WebServer/initConfig.js
@@ -6,6 +6,7 @@ const defaultConfig = {
   port: process.env.PORT || 3000,
   apiPath: '/admin/api',
   graphiqlPath: '/admin/graphiql',
+  cors: { origin: true, credentials: true },
 };
 
 const remapKeys = {