diff --git a/.env.template b/.env.template
index 5c4370fe1..3b519f2c6 100644
--- a/.env.template
+++ b/.env.template
@@ -13,6 +13,14 @@ DEBUG_TOOLBAR=0
 # hosts the application can run under e.g. recipes.mydomain.com,cooking.mydomain.com,...
 ALLOWED_HOSTS=*
 
+# Cross Site Request Forgery protection
+# (https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS)
+# CSRF_TRUSTED_ORIGINS = []
+
+# Cross Origin Resource Sharing
+# (https://github.com/adamchainz/django-cors-header)
+# CORS_ALLOW_ALL_ORIGINS = True
+
 # random secret key, use for example `base64 /dev/urandom | head -c50` to generate one
 # ---------------------------- REQUIRED -------------------------
 SECRET_KEY=
diff --git a/recipes/settings.py b/recipes/settings.py
index 9a36bfc19..26639189d 100644
--- a/recipes/settings.py
+++ b/recipes/settings.py
@@ -68,7 +68,11 @@ ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS').split(
 if os.getenv('CSRF_TRUSTED_ORIGINS'):
     CSRF_TRUSTED_ORIGINS = os.getenv('CSRF_TRUSTED_ORIGINS').split(',')
 
-CORS_ORIGIN_ALLOW_ALL = True
+if CORS_ORIGIN_ALLOW_ALL := os.getenv('CORS_ORIGIN_ALLOW_ALL') is not None:
+    print('DEPRECATION WARNING: Environment var "CORS_ORIGIN_ALLOW_ALL" is deprecated. Please use "CORS_ALLOW_ALL_ORIGINS."')
+    CORS_ALLOW_ALL_ORIGINS = CORS_ORIGIN_ALLOW_ALL
+else:
+    CORS_ALLOW_ALL_ORIGINS = bool(int(os.getenv("CORS_ALLOW_ALL_ORIGINS", True)))
 
 LOGIN_REDIRECT_URL = "index"
 LOGOUT_REDIRECT_URL = "index"