diff --git a/lib/mvcfronk/mfBase/mfBaseApicontroller.php b/lib/mvcfronk/mfBase/mfBaseApicontroller.php
index 1d06741d5..a8c82750b 100644
--- a/lib/mvcfronk/mfBase/mfBaseApicontroller.php
+++ b/lib/mvcfronk/mfBase/mfBaseApicontroller.php
@@ -50,8 +50,6 @@ class mfBaseApicontroller {
       header("Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS");
       header("Access-Control-Allow-Headers: X-Api-Key");
       
-      $this->log->debug("origin header: ".$this->headers['origin']);
-      
       if(preg_match('#^(https?)://([^/:]+)(:\d+)?/?$#i', $this->headers['origin'], $m)) {
         $origin_proto = $m[1];
         $origin_hostname = $m[2];
@@ -330,6 +328,15 @@ class mfBaseApicontroller {
     if(preg_match('#^(https?)://([^/:]+)(:\d+)?/?$#i', $this->headers['origin'], $m)) {
       $request_origin['proto'] = $m[1];
       $request_origin['hostname'] = $m[2];
+    } else {
+      $this->return(mfResponse::Forbidden(["message" => "Malformed Origin header"]));
+    }
+    
+    if($request_origin['hostname'] == "localhost") {
+      // always allow requests from localhost
+      $this->log->debug("Allowing localhost Origin");
+      header("Access-Control-Allow-Origin: ".$request_origin['proto']."://".$request_origin['hostname']);
+      return true;
     }