diff --git a/src/main/java/ca/uhn/fhir/jpa/starter/BaseJpaRestfulServer.java b/src/main/java/ca/uhn/fhir/jpa/starter/BaseJpaRestfulServer.java
index 8154714..0333e71 100644
--- a/src/main/java/ca/uhn/fhir/jpa/starter/BaseJpaRestfulServer.java
+++ b/src/main/java/ca/uhn/fhir/jpa/starter/BaseJpaRestfulServer.java
@@ -280,7 +280,7 @@ public class BaseJpaRestfulServer extends RestfulServer {
       config.addAllowedHeader("X-Requested-With");
       config.addAllowedHeader("Prefer");
       List<String> allAllowedCORSOrigins = appProperties.getCors().getAllowed_origin();
-      allAllowedCORSOrigins.forEach(config::addAllowedOrigin);
+      allAllowedCORSOrigins.forEach(config::addAllowedOriginPattern);
 
 
       config.addExposedHeader("Location");
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index 6d685bd..015bc71 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -82,12 +82,11 @@ hapi:
     #partitioning:
     #  allow_references_across_partitions: false
     #  partitioning_include_in_search_hashes: false
-    #cors:
-    #  allow_Credentials: true
-      # Supports multiple, comma separated allowed origin entries
-      # cors.allowed_origin=http://localhost:8080,https://localhost:8080,https://fhirtest.uhn.ca
-    #  allowed_origin:
-    #    - '*'
+    cors:
+      allow_Credentials: true
+      # These are allowed_origin patterns, see: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html#setAllowedOriginPatterns-java.util.List-
+      allowed_origin:
+        - '*'
 
 #    logger:
 #      error_format: 'ERROR - ${requestVerb} ${requestUrl}'