diff --git a/deployment/environments/group_vars/all/vitamui_vars.yml b/deployment/environments/group_vars/all/vitamui_vars.yml
index fdaa707cc750ae13d7ff18c01a8be963bb649737..4d342c705097f945e216120e4e1aed93c8cb5c25 100755
--- a/deployment/environments/group_vars/all/vitamui_vars.yml
+++ b/deployment/environments/group_vars/all/vitamui_vars.yml
@@ -168,6 +168,7 @@ vitamui:
       root_log_level: "ERROR"
       vitamui_level: "INFO"
     reset_password_url: /extras/resetPassword?username={username}&firstname={firstname}&lastname={lastname}&language={language}&ttl=1day
+    cors.enabled: false
   security_internal:
     host: "vitamui-security-internal.service.consul"
     vitamui_component: "security-internal"
diff --git a/deployment/roles/vitamui/templates/cas-server/application.yml.j2 b/deployment/roles/vitamui/templates/cas-server/application.yml.j2
index e3ca32c986df30ae977ef039812cec85855300c2..2e3bb642dd075b8f4a0e7e0aa607dd49d903a2d1 100644
--- a/deployment/roles/vitamui/templates/cas-server/application.yml.j2
+++ b/deployment/roles/vitamui/templates/cas-server/application.yml.j2
@@ -198,3 +198,12 @@ logging:
     fr.gouv.vitamui.cas: DEBUG
     org.elasticsearch.metrics: DEBUG
     fr.gouv.vitamui.commons: DEBUG
+
+{% if vitamui.cas_server.cors.enabled|lower == "true" %}
+# Cas CORS (necessary for mobile app)
+cas.httpWebRequest.cors.enabled: true
+cas.httpWebRequest.cors.allowCredentials: false
+cas.httpWebRequest.cors.allowOrigins: ['*']
+cas.httpWebRequest.cors.allowMethods: ['*']
+cas.httpWebRequest.cors.allowHeaders: ['*']
+{% endif %}
\ No newline at end of file