diff --git a/packages/decap-server/README.md b/packages/decap-server/README.md
index 9b66fa4459b4..b730ccb09b98 100644
--- a/packages/decap-server/README.md
+++ b/packages/decap-server/README.md
@@ -27,4 +27,8 @@ backend:
 GIT_REPO_DIRECTORY=FULL_PATH_TO_LOCAL_GIT_REPO
 # optional, defaults to 8081
 PORT=CUSTOM_PORT
+# optional, only listen for incoming connections on a specific IP address
+BIND_HOST=127.0.0.1
+# optional, restrict API requests to a specific origin
+ORIGIN=https://example.com
 ```
diff --git a/packages/decap-server/src/index.ts b/packages/decap-server/src/index.ts
index 88afbff198bd..813ccc2c720a 100644
--- a/packages/decap-server/src/index.ts
+++ b/packages/decap-server/src/index.ts
@@ -8,7 +8,8 @@ import { registerMiddleware as registerLocalFs } from './middlewares/localFs';
 import { createLogger } from './logger';
 
 const app = express();
-const port = process.env.PORT || 8081;
+const port = parseInt(process.env.PORT || '8081', 10);
+const host = process.env.BIND_HOST;
 const level = process.env.LOG_LEVEL || 'info';
 
 (async () => {
@@ -33,7 +34,13 @@ const level = process.env.LOG_LEVEL || 'info';
     process.exit(1);
   }
 
-  return app.listen(port, () => {
-    logger.info(`Decap CMS Proxy Server listening on port ${port}`);
-  });
+  if (host) {
+    return app.listen(port, host, () => {
+      logger.info(`Decap CMS Proxy Server listening on ${host}:${port}`);
+    });
+  } else {
+    return app.listen(port, () => {
+      logger.info(`Decap CMS Proxy Server listening on port ${port}`);
+    });
+  }
 })();
diff --git a/packages/decap-server/src/middlewares/common/index.ts b/packages/decap-server/src/middlewares/common/index.ts
index 18ec4c46749b..a43ccbfc8ed5 100644
--- a/packages/decap-server/src/middlewares/common/index.ts
+++ b/packages/decap-server/src/middlewares/common/index.ts
@@ -16,6 +16,10 @@ export function registerCommonMiddlewares(app: express.Express, options: Options
     },
   };
   app.use(morgan('combined', { stream }));
-  app.use(cors());
+  app.use(
+    cors({
+      origin: process.env.ORIGIN || '*',
+    }),
+  );
   app.use(express.json({ limit: '50mb' }));
 }