diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index f32c1013..3f932d16 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -5,7 +5,7 @@ quarkusio.git-uri=https://github.com/quarkusio/quarkusio.github.io.git
 
 # More secure HTTP defaults
 quarkus.http.cors=true
-quarkus.http.cors.origins=https://quarkus.io,/https://.*\.quarkus\.io/,/https://quarkus-(web)?site-pr-[0-9]+-preview\.surge\.sh/
+quarkus.http.cors.origins=https://quarkus.io,/https://.*\\\\.quarkus\\\\.io/,/https://quarkus-(web)?site-pr-[0-9]+-preview\\\\.surge\\\\.sh/
 quarkus.http.cors.methods=GET
 quarkus.http.header."X-Content-Type-Options".value=nosniff
 quarkus.http.header."X-Frame-Options".value=deny
diff --git a/src/test/java/io/quarkus/search/app/SearchServiceTest.java b/src/test/java/io/quarkus/search/app/SearchServiceTest.java
index 9e76d80c..eda026eb 100644
--- a/src/test/java/io/quarkus/search/app/SearchServiceTest.java
+++ b/src/test/java/io/quarkus/search/app/SearchServiceTest.java
@@ -26,6 +26,7 @@
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import org.assertj.core.api.InstanceOfAssertFactories;
 import org.assertj.core.api.ThrowingConsumer;
@@ -149,6 +150,45 @@ void queryNotProvided() {
         assertThat(result.total()).isEqualTo(10);
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {
+            "https://quarkus.io",
+            "https://es.quarkus.io",
+            "https://cn.quarkus.io",
+            "https://ja.quarkus.io",
+            "https://pt.quarkus.io",
+            "https://quarkus-site-pr-1825-preview.surge.sh",
+            "https://quarkus-website-pr-1825-preview.surge.sh"
+    })
+    void cors_allowed(String origin) {
+        given()
+                .header("Origin", origin)
+                .queryParam("q", "foo")
+                .when().get(GUIDES_SEARCH)
+                .then()
+                .statusCode(200)
+                .header("access-control-allow-origin", origin);
+    }
+
+    @ParameterizedTest
+    @ValueSource(strings = {
+            "http://localhost:8080/guides",
+            "https://localhost:8080/guides",
+            "https://example.com/guides",
+            "https://example.com/",
+            "https://my-quarkus.io",
+            "https://quarkus-site-pr-1825-preview-surge.sh",
+            "https://quarkus-website-pr-1825-preview-surge.sh"
+    })
+    void cors_denied(String origin) {
+        given()
+                .header("Origin", origin)
+                .queryParam("q", "foo")
+                .when().get(GUIDES_SEARCH)
+                .then()
+                .statusCode(403);
+    }
+
     @ParameterizedTest
     @MethodSource
     void relevance(String query, URI[] expectedGuideUrls) {