diff --git a/Readme.md b/Readme.md
index 55bc679..c1b3ad1 100644
--- a/Readme.md
+++ b/Readme.md
@@ -88,6 +88,7 @@ next steps below
 
    INVENTORY_SECRET_KEY=
    INVENTORY_EXTERNAL_URL=http://localhost:8000
+   INVENTORY_TRUSTED_ORIGINS=localhost:8000
    INVENTORY_DEBUG=FALSE
 
    INVENTORY_LANGUAGE=en-us
diff --git a/default.env b/default.env
index f3ee62a..f484ee2 100644
--- a/default.env
+++ b/default.env
@@ -4,6 +4,11 @@ INVENTORY_SECRET_KEY=""
 # override with URL the service will be available under
 INVENTORY_EXTERNAL_URL="https://inventory.example.com"
 
+# override with URLs that are used to send POST requests here,
+# the EXTERNAL_URL will be in there already, http and https
+# will be added automatically, separate multiple origins with commas
+INVENTORY_TRUSTED_ORIGINS="localhost"
+
 # keep this to FALSE for deployments
 INVENTORY_DEBUG="FALSE"
 
diff --git a/inventory_project/settings.py b/inventory_project/settings.py
index 8813830..451a679 100644
--- a/inventory_project/settings.py
+++ b/inventory_project/settings.py
@@ -45,6 +45,15 @@ ALLOWED_HOSTS: list[str] = [
     socket.gethostbyname('localhost')
 ]
 
+CSRF_TRUSTED_ORIGINS: list[str] = [
+    *[
+        f'{prot}://{host}'
+        for host in os.environ.get("INVENTORY_TRUSTED_ORIGINS", "localhost").split(',')
+        for prot in ('http', 'https')
+    ],
+    f'{SERVER_URL}}'
+]
+
 # Application definition
 
 INSTALLED_APPS = [