diff --git a/php/add.php b/php/add.php
index d8bfe925..0a072722 100644
--- a/php/add.php
+++ b/php/add.php
@@ -3,21 +3,24 @@ if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
     die("Missing POST variables");
 
 // Check CORS
-if($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" || $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
-else if($_SERVER['HTTP_HOST'] == $_SERVER['SERVER_ADDR'] || $_SERVER['HTTP_HOST'] == "pi.hole")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_HOST']}");
-else
-    die("Failed CORS");
-
-session_start();
+if(isset($_SERVER['HTTP_ORIGIN'])) {
+    if ($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://localhost"
+    )
+        header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
+    else
+        die("Failed CORS");
+}
+// Otherwise probably same origin... out of the scope of CORS
 
 // Check CSRF token
+session_start();
 if(!hash_equals($_SESSION['token'], $_POST['token']))
     die("Wrong token");
 
 switch($_POST['list']) {
-    case "white":        
+    case "white":
         echo exec("sudo pihole -w -q ${_POST['domain']}");
         break;
     case "black":
diff --git a/php/sub.php b/php/sub.php
index cee19723..aa13d4c1 100644
--- a/php/sub.php
+++ b/php/sub.php
@@ -3,16 +3,19 @@ if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
     die("Missing POST variables");
 
 // Check CORS
-if($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" || $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
-else if($_SERVER['HTTP_HOST'] == $_SERVER['SERVER_ADDR'] || $_SERVER['HTTP_HOST'] == "pi.hole")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_HOST']}");
-else
-    die("Failed CORS");
-
-session_start();
+if(isset($_SERVER['HTTP_ORIGIN'])) {
+    if ($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://localhost"
+    )
+        header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
+    else
+        die("Failed CORS");
+}
+// Otherwise probably same origin... out of the scope of CORS
 
 // Check CSRF token
+session_start();
 if(!hash_equals($_SESSION['token'], $_POST['token']))
     die("Wrong token");