diff --git a/package-lock.json b/package-lock.json
index b0fb9ef9c2..e007d34307 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -32300,7 +32300,7 @@
     "node_modules/policyfile": {
       "version": "0.0.4",
       "resolved": "https://registry.npmjs.org/policyfile/-/policyfile-0.0.4.tgz",
-      "integrity": "sha1-1rgurZiueeviKOLa9ZAzEeyYLk0=",
+      "integrity": "sha512-UfDtlscNialXfmVEwEPm0t/5qtM0xPK025eYWd/ilv89hxLIhVQmt3QIzMHincLO2MBtZyww0386pt13J4aIhQ==",
       "engines": {
         "node": "*"
       }
@@ -35199,6 +35199,15 @@
         "node": ">=8"
       }
     },
+    "node_modules/redis": {
+      "version": "0.7.3",
+      "resolved": "https://registry.npmjs.org/redis/-/redis-0.7.3.tgz",
+      "integrity": "sha512-0Pgb0jOLfn6eREtEIRn/ifyZJjl2H+wUY4F/Pe7T4UhmoSrZ/1HU5ZqiBpDk8I8Wbyv2N5DpXKzbEtMj3drprg==",
+      "optional": true,
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/redis-commands": {
       "version": "1.7.0",
       "resolved": "https://registry.npmjs.org/redis-commands/-/redis-commands-1.7.0.tgz",
@@ -37141,8 +37150,8 @@
       }
     },
     "node_modules/socket.io": {
-      "version": "0.9.19-overleaf-10",
-      "resolved": "git+ssh://git@github.com/overleaf/socket.io.git#7ac322c2a5b26a4647834868d78afbb0db1f8849",
+      "version": "0.9.19-overleaf-11",
+      "resolved": "git+ssh://git@github.com/overleaf/socket.io.git#5afa587036620afa232d0f7b778ebb1541d7e4d5",
       "dependencies": {
         "base64id": "0.1.0",
         "policyfile": "0.0.4"
@@ -37174,15 +37183,6 @@
         "ultron": "1.0.x"
       }
     },
-    "node_modules/socket.io/node_modules/redis": {
-      "version": "0.7.3",
-      "resolved": "https://registry.npmjs.org/redis/-/redis-0.7.3.tgz",
-      "integrity": "sha512-0Pgb0jOLfn6eREtEIRn/ifyZJjl2H+wUY4F/Pe7T4UhmoSrZ/1HU5ZqiBpDk8I8Wbyv2N5DpXKzbEtMj3drprg==",
-      "optional": true,
-      "engines": {
-        "node": "*"
-      }
-    },
     "node_modules/sockjs": {
       "version": "0.3.24",
       "resolved": "https://registry.npmjs.org/sockjs/-/sockjs-0.3.24.tgz",
@@ -43958,7 +43958,7 @@
         "lodash": "^4.17.21",
         "proxy-addr": "^2.0.7",
         "request": "^2.88.2",
-        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-10",
+        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-11",
         "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5"
       },
       "devDependencies": {
diff --git a/services/real-time/app.js b/services/real-time/app.js
index 85b469bf90..4fecd8f8a6 100644
--- a/services/real-time/app.js
+++ b/services/real-time/app.js
@@ -83,6 +83,33 @@ io.configure(function () {
   io.set('match origin protocol', true)
 
   io.set('transports', ['websocket', 'xhr-polling'])
+
+  if (Settings.allowedCorsOrigins) {
+    // Create a regex for matching origins, allowing wildcard subdomains
+    const allowedCorsOriginsRegex = new RegExp(
+      `^${Settings.allowedCorsOrigins.replaceAll('.', '\\.').replace('://*', '://[^.]+')}(?::443)?$`
+    )
+
+    io.set('origins', function (origin, req) {
+      const normalizedOrigin = URL.parse(origin).origin
+      const originIsValid = allowedCorsOriginsRegex.test(normalizedOrigin)
+
+      if (req.headers.origin) {
+        return originIsValid
+      }
+
+      if (!originIsValid) {
+        // There is no Origin header and the Referrer does not satisfy the
+        // constraints. We're going to pass this anyway for now but log it
+        logger.warn(
+          { req, referer: req.headers.referer },
+          'Referrer header does not match allowed origins'
+        )
+      }
+
+      return true
+    })
+  }
 })
 
 // Serve socket.io.js client file from imported dist folder
diff --git a/services/real-time/config/settings.defaults.js b/services/real-time/config/settings.defaults.js
index 96c116fb2e..57b0a50a42 100644
--- a/services/real-time/config/settings.defaults.js
+++ b/services/real-time/config/settings.defaults.js
@@ -173,6 +173,7 @@ const settings = {
   behindProxy: process.env.BEHIND_PROXY === 'true',
   trustedProxyIps: process.env.TRUSTED_PROXY_IPS,
   keepAliveTimeoutMs: parseInt(process.env.KEEPALIVE_TIMEOUT_MS ?? '5000', 10),
+  allowedCorsOrigins: process.env.REAL_TIME_ALLOWED_CORS_ORIGINS,
 }
 
 // console.log settings.redis
diff --git a/services/real-time/package.json b/services/real-time/package.json
index 33c75ecf9f..2d5f87a109 100644
--- a/services/real-time/package.json
+++ b/services/real-time/package.json
@@ -34,7 +34,7 @@
     "lodash": "^4.17.21",
     "proxy-addr": "^2.0.7",
     "request": "^2.88.2",
-    "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-10",
+    "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-11",
     "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5"
   },
   "devDependencies": {