diff --git a/core/server/services/auth/session/index.js b/core/server/services/auth/session/index.js
index d7211608e3..2a66cd4090 100644
--- a/core/server/services/auth/session/index.js
+++ b/core/server/services/auth/session/index.js
@@ -13,7 +13,7 @@ function getOriginOfRequest(req) {
     const origin = req.get('origin');
     const referrer = req.get('referrer') || urlUtils.getAdminUrl() || urlUtils.getSiteUrl();
 
-    if (!origin && !referrer) {
+    if (!origin && !referrer || origin === 'null') {
         return null;
     }
 
diff --git a/core/server/web/api/middleware/cors.js b/core/server/web/api/middleware/cors.js
index c5de1fc3a5..4f8da966c7 100644
--- a/core/server/web/api/middleware/cors.js
+++ b/core/server/web/api/middleware/cors.js
@@ -68,7 +68,7 @@ function handleCORS(req, cb) {
     const origin = req.get('origin');
 
     // Request must have an Origin header
-    if (!origin) {
+    if (!origin || origin === 'null') {
         return cb(null, DISABLE_CORS);
     }
 
diff --git a/core/server/web/site/app.js b/core/server/web/site/app.js
index 509e930747..89fcffc6df 100644
--- a/core/server/web/site/app.js
+++ b/core/server/web/site/app.js
@@ -31,7 +31,7 @@ const corsOptionsDelegate = function corsOptionsDelegate(req, callback) {
         credentials: true // required to allow admin-client to login to private sites
     };
 
-    if (!origin) {
+    if (!origin || origin === 'null') {
         return callback(null, corsOptions);
     }