diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 3863792f9c01b9642dfa79457ca3798a0e38b640..6b85949e46779666c8207707ef622e6a7c1b46c8 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,5 +1,6 @@
 class ApplicationController < ActionController::Base
   include Authentication
+  include AddProxyRequestOrigin
 
   def send_file
     File.open("tmp/#{params[:filename]}", "r") do |f|
diff --git a/config/environments/development.rb b/config/environments/development.rb
index e3191fb130d0d38a56bb2d3ae58d434484c80b3f..44550745457e02f3260d2f81d2c5d438cc19ebe2 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -76,6 +76,4 @@ Rails.application.configure do
   # Allow Action Cable access from any origin.
   config.action_cable.url = ENV['NEP_CABLE_URL'] || 'http://127.0.0.1:3000/cable'
   config.action_cable.allowed_request_origins = [ENV['NEP_LABS_DOMAIN'], 'http://127.0.0.1:8001']
-  # Allow XHR/Ajax requests from different origin
-  config.action_controller.forgery_protection_origin_check = false
 end
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
new file mode 100644
index 0000000000000000000000000000000000000000..f8e7d399271fe6fea558527407b7baa87c2c3d1e
--- /dev/null
+++ b/config/initializers/cors.rb
@@ -0,0 +1,16 @@
+# Allow requests from Labs domain
+module AddProxyRequestOrigin
+  extend ActionController::RequestForgeryProtection
+
+  allowed_request_origins = [ENV['NEP_LABS_DOMAIN'], 'http://127.0.0.1:8001']
+
+  def valid_request_origin? # :doc:
+    if forgery_protection_origin_check
+      # We accept blank origin headers because some user agents don't send it.
+      raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null"
+      request.origin.nil? || request.origin == request.base_url || request.origin in allowed_request_origins
+    else
+      true
+    end
+  end
+end