map $http_origin $allow_origin { ~^https?://(.*\.)?my-domain.com(:\d+)?$ $http_origin; ~^https?://(.*\.)?localhost(:\d+)?$ $http_origin; default ""; } server { listen 80 default_server; server_name _; add_header 'Access-Control-Allow-Origin' $allow_origin; # ... }