diff --git a/next.config.js b/next.config.js
index e6beb9c..f7f109f 100644
--- a/next.config.js
+++ b/next.config.js
@@ -1,14 +1,14 @@
-
 const basePath = process.env.NEXT_PUBLIC_BASE_PATH ?? '/auth';
+const domain = process.env.NOTIFY_DOMAIN_NAME ?? 'localhost:3000';
 
 module.exports = {
   basePath,
 
   async redirects() {
     /*
-    * Doing redirect rewrites will bypass NextJs' base path
-    * Without it a redirect('/templates/create-and-submit') would go to /auth/templates/create-and-submit
-    */
+     * Doing redirect rewrites will bypass NextJs' base path
+     * Without it a redirect('/templates/create-and-submit') would go to /auth/templates/create-and-submit
+     */
     return [
       {
         source: `${basePath}/redirect/:path*`,
@@ -22,7 +22,13 @@ module.exports = {
         destination: '/',
         basePath: false,
         permanent: false,
-      }
+      },
     ];
   },
-}
+
+  experimental: {
+    serverActions: {
+      allowedOrigins: [domain, domain.replace('iam', 'web-gateway')],
+    },
+  },
+};
diff --git a/src/middleware.ts b/src/middleware.ts
index 447d470..43cf089 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -13,6 +13,11 @@ export function middleware(request: NextRequest) {
 
   requestHeaders.set('Content-Security-Policy', csp);
 
+  // requestHeaders.set(
+  //   'x-forwarded-host',
+  //   requestHeaders.get('origin')?.replace('https://', '') || '*'
+  // );
+
   const response = NextResponse.next({
     request: {
       headers: requestHeaders,