diff --git a/lib/middlewares/cors.js b/lib/middlewares/cors.js
index 93279a2b9..fdda32297 100644
--- a/lib/middlewares/cors.js
+++ b/lib/middlewares/cors.js
@@ -9,6 +9,7 @@ var processOrigin = function (origin, callback) {
   var originParsed = parseDomain(origin) || {}
   var allow = [
     process.env.FULL_API_DOMAIN,
+    process.env.SECONDARY_FULL_API_DOMAIN,
     process.env.FULL_FRONTEND_DOMAIN
   ]
     .some(function (domain) {
diff --git a/lib/middlewares/csrf.js b/lib/middlewares/csrf.js
index 975ff9000..a4390484c 100644
--- a/lib/middlewares/csrf.js
+++ b/lib/middlewares/csrf.js
@@ -11,15 +11,19 @@ module.exports.csrfValidator = function (req, res, next) {
   csurfMiddleware(req, res, next)
 }
 
-module.exports.csrfCookieInjector = function (req, res, next) {
-  if (!exists(req.headers.origin)) {
-    return next()
-  }
-
-  var parsedDomain = parseDomain(process.env.FULL_API_DOMAIN) || {}
+module.exports.injectCookie = function (res, req, domain) {
+  var parsedDomain = parseDomain(domain) || {}
   res.cookie('CSRF-TOKEN', req.csrfToken(), {
     httpOnly: false,
     domain: '.' + parsedDomain.domain + '.' + parsedDomain.tld
   })
+}
+
+module.exports.csrfCookieInjector = function (req, res, next) {
+  if (!exists(req.headers.origin)) {
+    return next()
+  }
+  module.exports.injectCookie(res, req, process.env.FULL_API_DOMAIN)
+  module.exports.injectCookie(res, req, process.env.SECONDARY_FULL_API_DOMAIN)
   next()
 }