diff --git a/server/src/middleware/board-mutation-guard.ts b/server/src/middleware/board-mutation-guard.ts
index feff3b40..96e2a461 100644
--- a/server/src/middleware/board-mutation-guard.ts
+++ b/server/src/middleware/board-mutation-guard.ts
@@ -24,6 +24,12 @@ function trustedOriginsForRequest(req: Request) {
     origins.add(`http://${host}`.toLowerCase());
     origins.add(`https://${host}`.toLowerCase());
   }
+  // Behind some reverse proxies the Host / X-Forwarded-Host header may
+  // not match the public URL (for example when TLS terminates at the
+  // edge and the inbound Host is an internal service name). Trust the
+  // explicitly-configured PAPERCLIP_PUBLIC_URL when it's set.
+  const publicUrl = parseOrigin(process.env.PAPERCLIP_PUBLIC_URL?.trim());
+  if (publicUrl) origins.add(publicUrl);
   return origins;
 }