diff --git a/src/middleware/cors.js b/src/middleware/cors.js
index 7a9461b89..b99493bfb 100644
--- a/src/middleware/cors.js
+++ b/src/middleware/cors.js
@@ -20,6 +20,7 @@ module.exports = function cors(options) {
         if (!requestOrigin) return next();
 
         requestOrigin = url.parse(requestOrigin);
+        if (!requestOrigin.host) return res.status(405).send('CORS not allowed from this domain');
 
         var hostname = requestOrigin.host.split(':')[0]; // remove any port
         var originAllowed = origins.some(function (o) { return o === '*' || o === hostname; });
diff --git a/src/test/server-test.js b/src/test/server-test.js
index 865adc314..7587606d3 100644
--- a/src/test/server-test.js
+++ b/src/test/server-test.js
@@ -235,6 +235,15 @@ describe('Server', function () {
             });
         });
 
+        it('does not crash for malformed origin', function (done) {
+            superagent('OPTIONS', SERVER_URL + '/api/v1/cloudron/status')
+                .set('Origin', 'foobar')
+                .end(function (error, res) {
+                expect(res.statusCode).to.be(405);
+                done();
+            });
+        });
+
         after(function (done) {
             server.stop(function () {
                 done();