diff --git a/api/src/setting/services/setting.service.spec.ts b/api/src/setting/services/setting.service.spec.ts
index 76f0900c..3c741738 100644
--- a/api/src/setting/services/setting.service.spec.ts
+++ b/api/src/setting/services/setting.service.spec.ts
@@ -166,6 +166,7 @@ describe('SettingService', () => {
       });
       expect(result).toEqual(
         new Set([
+          '*',
           'https://example.com',
           'https://test.com',
           'https://another.com',
@@ -173,7 +174,7 @@ describe('SettingService', () => {
       );
     });
 
-    it('should return an empty set if no settings are found', async () => {
+    it('should return the config allowed cors only if no settings are found', async () => {
       jest.spyOn(settingService, 'find').mockResolvedValue([]);
 
       const result = await settingService.getAllowedOrigins();
@@ -181,7 +182,7 @@ describe('SettingService', () => {
       expect(settingService.find).toHaveBeenCalledWith({
         label: 'allowed_domains',
       });
-      expect(result).toEqual(new Set());
+      expect(result).toEqual(new Set(['*']));
     });
 
     it('should handle settings with empty values', async () => {
@@ -197,7 +198,7 @@ describe('SettingService', () => {
       expect(settingService.find).toHaveBeenCalledWith({
         label: 'allowed_domains',
       });
-      expect(result).toEqual(new Set(['https://example.com']));
+      expect(result).toEqual(new Set(['*', 'https://example.com']));
     });
   });
 });
diff --git a/api/src/setting/services/setting.service.ts b/api/src/setting/services/setting.service.ts
index b9f98fd5..56fffba3 100644
--- a/api/src/setting/services/setting.service.ts
+++ b/api/src/setting/services/setting.service.ts
@@ -142,12 +142,16 @@ export class SettingService extends BaseService<Setting> {
       label: 'allowed_domains',
     })) as TextSetting[];
 
-    const uniqueOrigins = new Set(
-      settings.flatMap((setting) =>
-        setting.value.split(',').filter((o) => !!o),
-      ),
+    const allowedDomains = settings.flatMap((setting) =>
+      setting.value.split(',').filter((o) => !!o),
     );
 
+    const uniqueOrigins = new Set([
+      ...config.security.cors.allowOrigins,
+      ...config.sockets.onlyAllowOrigins,
+      ...allowedDomains,
+    ]);
+
     return uniqueOrigins;
   }