diff --git a/core/src/main/java/nl/tudelft/ewi/auta/core/authentication/CorsPatchFilter.java b/core/src/main/java/nl/tudelft/ewi/auta/core/authentication/CorsPatchFilter.java
index f71674fdab7dc3a97d3f323b347347ae480cb30a..d79296dbf8eeeb1952f9c6378121e483951dd4fd 100644
--- a/core/src/main/java/nl/tudelft/ewi/auta/core/authentication/CorsPatchFilter.java
+++ b/core/src/main/java/nl/tudelft/ewi/auta/core/authentication/CorsPatchFilter.java
@@ -10,6 +10,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Service;
 import org.springframework.web.filter.GenericFilterBean;
 
+import javax.annotation.Nullable;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
@@ -187,10 +188,12 @@ public class CorsPatchFilter extends GenericFilterBean {
      * @return {@code true} if the headers may need patching, {@code false} otherwise
      */
     private boolean requiresHeaderPatchCheck(
-            final HttpServletRequest req, final String origin
+            final HttpServletRequest req, final @Nullable String origin
     ) {
         final var allowedOrigins = this.settings.get("allowed API origins", List.class);
-        return allowedOrigins.contains(origin) && req.getRequestURI().startsWith("/api");
+        return origin != null
+                && allowedOrigins.contains(origin)
+                && req.getRequestURI().startsWith("/api");
     }
 
     /**