diff --git a/attributes/default.rb b/attributes/default.rb
index f0ff6a0..66211d8 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -78,6 +78,11 @@
 default.elasticsearch['discovery']['zen']['ping']['multicast']['enabled'] = false
 default.elasticsearch['discovery']['zen']['minimum_master_nodes'] = 1
 
+# === CORS SETTINGS
+#
+default.elasticsearch['http_cors']['enabled'] = false
+default.elasticsearch['http_cors']['allow_origin'] = "/https?:\/\/localhost(:[0-9]+)?/"
+
 # === GATEWAY SETTINGS
 #
 default.elasticsearch['gateway']['expected_nodes'] = 1
diff --git a/templates/default/elasticsearch.yml.erb b/templates/default/elasticsearch.yml.erb
index 904fefd..4393c35 100644
--- a/templates/default/elasticsearch.yml.erb
+++ b/templates/default/elasticsearch.yml.erb
@@ -266,13 +266,15 @@ bootstrap.mlockall: <%= node.elasticsearch['bootstrap']['mlockall'] %>
 #
 http.port: <%= node.elasticsearch['http']['port'] %>
 
+<% if node.elasticsearch['http_cors']['enabled'] -%>
 # Enable or disable cross-origin resource sharing, i.e. whether a browser on another 
-# origin can do requests to Elasticsearch. Defaults to false.
+# origin can do requests directly to Elasticsearch. Defaults to false.
 http.cors.enabled: true
 
-# Which origins to allow. Defaults to no origins allowed.
-# It's not necessary specify the port unless it's different from 80. 
-http.cors.allow-origin: http://<%= node.elasticsearch['node']['name'] %>
+# Which origins to allow: by default no origins are allowed. It's not necessary specify 
+# the port unless it's different from 80. 
+http.cors.allow-origin: <%= node.elasticsearch['http_cors']['allow_origin'] %>
+<% end -%>
 
 # Set a custom allowed content length:
 #