diff --git a/deploy/values.yaml.gotmpl b/deploy/values.yaml.gotmpl
index b0b962fdb9b101145e687fe474c3c0bd6e1fe4af_ZGVwbG95L3ZhbHVlcy55YW1sLmdvdG1wbA==..87db1e60a5262c2d6a01d5fa06a722dd2d0f2c1c_ZGVwbG95L3ZhbHVlcy55YW1sLmdvdG1wbA== 100644
--- a/deploy/values.yaml.gotmpl
+++ b/deploy/values.yaml.gotmpl
@@ -18,8 +18,13 @@
   tls:
     withSecret: false
   annotations:
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/cors-allow-origin: '*'
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "Vary: Origin";
+      more_set_headers "Access-Control-Allow-Origin: https://rodolf.k.intra.logilab.fr";
+      more_set_headers "Access-Control-Allow-Credentials: true";
+      more_set_headers "Access-Control-Allow-Methods: GET,POST,OPTIONS";
+      more_set_headers "Access-Control-Allow-Headers: Content-Type, X-Client-Name";
+    nginx.ingress.kubernetes.io/enable-cors: "false"
 
 # backup
 backupBeforeCwUpgrade: {{ .StateValues.backupBeforeCwUpgrade }}
@@ -32,6 +37,10 @@
 dropDbAfterDeletingHelmRelease: {{ .StateValues.dropDbAfterDeletingHelmRelease }}
 
 env:
+  CW_ACCESS_CONTROL_ALLOW_HEADERS: "*"
+  CW_ACCESS_CONTROL_ALLOW_METHODS: GET, POST, OPTIONS
+  CW_ACCESS_CONTROL_ALLOW_ORIGIN: https://rodolf.k.intra.logilab.fr
+  CW_ACCESS_CONTROL_MAX_AGE: "1728000"
   CW_DB_HOST: pg.intra.logilab.fr
   CW_DB_PORT: 5432
   CW_DB_NAME: rodolf