diff --git a/infrastructure/terraform/dev.tfvars b/infrastructure/terraform/dev.tfvars
index 72c987d0..93e7804a 100644
--- a/infrastructure/terraform/dev.tfvars
+++ b/infrastructure/terraform/dev.tfvars
@@ -5,4 +5,11 @@ region = "eu-west-2"
 # Database
 allocated_storage = 20
 instance_class = "db.t3.micro"
-database_name = "DevAssessmentModelDB"
\ No newline at end of file
+database_name = "DevAssessmentModelDB"
+
+# S3
+allowed_origins = ["*"]
+# For prod this should be something like:
+# allowed_origins = ["https://www.assessment-model.vercel.app"]
+# or whatever we end up calling the prod site
+
diff --git a/infrastructure/terraform/modules/s3_presignable_bucket/main.tf b/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
index 6c8bf541..b8c02106 100644
--- a/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
@@ -2,6 +2,14 @@ resource "aws_s3_bucket" "bucket" {
   bucket = "retrofit-plan-inputs-${var.environment}"
   acl    = "private"
 
+  cors_rule {
+    allowed_headers = ["Content-Type", "Authorization"]
+    allowed_methods = ["PUT"]
+    allowed_origins = var.allowed_origins
+    expose_headers  = ["ETag"]
+    max_age_seconds = 3000
+  }
+
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
diff --git a/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf b/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf
index 285e38a9..36be17ae 100644
--- a/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf
@@ -1,4 +1,13 @@
 variable "environment" {
   description = "The environment for the bucket (dev or prod)"
   type        = string
+}
+
+# Between production and development, we need to specify the
+# allowed origins for CORS differently. This variable is set to allow
+# us to generate pre-signed urls and in development, we want to be able to
+# do so from localhost.
+variable "allowed_origins" {
+  description = "Allowed origins for CORS"
+  type        = list(string)
 }
\ No newline at end of file