diff --git a/awx/conf/apps.py b/awx/conf/apps.py
index 49993d6203..55e0d3753a 100644
--- a/awx/conf/apps.py
+++ b/awx/conf/apps.py
@@ -14,7 +14,7 @@ class ConfConfig(AppConfig):
     def ready(self):
         self.module.autodiscover()
 
-        if not set(sys.argv) & {'migrate', 'check_migrations'}:
+        if not set(sys.argv) & {'migrate', 'check_migrations', 'showmigrations'}:
             from .settings import SettingsWrapper
 
             SettingsWrapper.initialize()
diff --git a/awx/main/conf.py b/awx/main/conf.py
index b21be34add..cb47c22e06 100644
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@@ -94,6 +94,20 @@ register(
     category_slug='system',
 )
 
+register(
+    'CSRF_TRUSTED_ORIGINS',
+    default=[],
+    field_class=fields.StringListField,
+    label=_('CSRF Trusted Origins List'),
+    help_text=_(
+        "If the service is behind a reverse proxy/load balancer, use this setting "
+        "to configure the schema://addresses from which the service should trust "
+        "Origin header values. "
+    ),
+    category=_('System'),
+    category_slug='system',
+)
+
 register(
     'LICENSE',
     field_class=fields.DictField,
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 795cb44fe3..ff22d194de 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -158,6 +158,11 @@ REMOTE_HOST_HEADERS = ['REMOTE_ADDR', 'REMOTE_HOST']
 # REMOTE_HOST_HEADERS will be trusted unconditionally')
 PROXY_IP_ALLOWED_LIST = []
 
+# If we are behind a reverse proxy/load balancer, use this setting to
+# allow the scheme://addresses from which Tower should trust csrf requests from
+# If this setting is an empty list (the default), we will only trust ourself
+CSRF_TRUSTED_ORIGINS = []
+
 CUSTOM_VENV_PATHS = []
 
 # Warning: this is a placeholder for a database setting
diff --git a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.js b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.js
index b7ed41969a..bc7dc6efc8 100644
--- a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.js
+++ b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.js
@@ -59,6 +59,7 @@ function MiscSystemDetail() {
         'TOWER_URL_BASE',
         'DEFAULT_EXECUTION_ENVIRONMENT',
         'PROXY_IP_ALLOWED_LIST',
+        'CSRF_TRUSTED_ORIGINS',
         'AUTOMATION_ANALYTICS_LAST_GATHER',
         'AUTOMATION_ANALYTICS_LAST_ENTRIES',
         'UI_NEXT'
diff --git a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.js b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.js
index f30dd11693..c9c5c7f9cc 100644
--- a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.js
+++ b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemDetail/MiscSystemDetail.test.js
@@ -29,6 +29,7 @@ describe('<MiscSystemDetail />', () => {
         TOWER_URL_BASE: 'https://towerhost',
         REMOTE_HOST_HEADERS: [],
         PROXY_IP_ALLOWED_LIST: [],
+        CSRF_TRUSTED_ORIGINS: [],
         LICENSE: null,
         REDHAT_USERNAME: 'name1',
         REDHAT_PASSWORD: '$encrypted$',
diff --git a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.js b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.js
index 9f2bf48d09..35c38f4873 100644
--- a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.js
+++ b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.js
@@ -53,6 +53,7 @@ function MiscSystemEdit() {
         'TOWER_URL_BASE',
         'DEFAULT_EXECUTION_ENVIRONMENT',
         'PROXY_IP_ALLOWED_LIST',
+        'CSRF_TRUSTED_ORIGINS',
         'UI_NEXT'
       );
 
@@ -95,6 +96,7 @@ function MiscSystemEdit() {
     await submitForm({
       ...form,
       PROXY_IP_ALLOWED_LIST: formatJson(form.PROXY_IP_ALLOWED_LIST),
+      CSRF_TRUSTED_ORIGINS: formatJson(form.CSRF_TRUSTED_ORIGINS),
       REMOTE_HOST_HEADERS: formatJson(form.REMOTE_HOST_HEADERS),
       DEFAULT_EXECUTION_ENVIRONMENT:
         form.DEFAULT_EXECUTION_ENVIRONMENT?.id || null,
@@ -239,6 +241,11 @@ function MiscSystemEdit() {
                   config={system.PROXY_IP_ALLOWED_LIST}
                   isRequired
                 />
+                <ObjectField
+                  name="CSRF_TRUSTED_ORIGINS"
+                  config={system.CSRF_TRUSTED_ORIGINS}
+                  isRequired
+                />
                 {submitError && <FormSubmitError error={submitError} />}
                 {revertError && <FormSubmitError error={revertError} />}
               </FormColumnLayout>
diff --git a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.js b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.js
index b8adaeef86..144ba7276d 100644
--- a/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.js
+++ b/awx/ui/src/screens/Setting/MiscSystem/MiscSystemEdit/MiscSystemEdit.test.js
@@ -39,6 +39,7 @@ const systemData = {
   REMOTE_HOST_HEADERS: ['REMOTE_ADDR', 'REMOTE_HOST'],
   TOWER_URL_BASE: 'https://localhost:3000',
   PROXY_IP_ALLOWED_LIST: [],
+  CSRF_TRUSTED_ORIGINS: [],
   UI_NEXT: false,
 };
 
diff --git a/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json b/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
index 504158d042..10c398d94b 100644
--- a/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
+++ b/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
@@ -78,6 +78,20 @@
                   "read_only": false
               }
           },
+          "CSRF_TRUSTED_ORIGINS": {
+              "type": "list",
+              "required": true,
+              "label": "CSRF Origins List",
+              "help_text": "If the service is behind a reverse proxy/load balancer, use this setting to configure the schema://addresses from which the service should trust Origin header values. ",
+              "category": "System",
+              "category_slug": "system",
+              "default": [],
+              "child": {
+                  "type": "string",
+                  "required": true,
+                  "read_only": false
+              }
+          },
           "REDHAT_USERNAME": {
               "type": "string",
               "required": false,
@@ -4487,6 +4501,17 @@
                   "type": "string"
               }
           },
+          "CSRF_TRUSTED_ORIGINS": {
+              "type": "list",
+              "label": "CSRF Origins List",
+              "help_text": "If the service is behind a reverse proxy/load balancer, use this setting to configure the schema://addresses from which the service should trust Origin header values. ",
+              "category": "System",
+              "category_slug": "system",
+              "defined_in_file": false,
+              "child": {
+                  "type": "string"
+              }
+          },
           "LICENSE": {
               "type": "nested object",
               "label": "License",
diff --git a/awx/ui/src/screens/Setting/shared/data.allSettings.json b/awx/ui/src/screens/Setting/shared/data.allSettings.json
index 4fc9cabfdb..7a67b71c6d 100644
--- a/awx/ui/src/screens/Setting/shared/data.allSettings.json
+++ b/awx/ui/src/screens/Setting/shared/data.allSettings.json
@@ -9,6 +9,7 @@
       "REMOTE_HOST"
   ],
   "PROXY_IP_ALLOWED_LIST": [],
+  "CSRF_TRUSTED_ORIGINS": [],
   "LICENSE": {},
   "REDHAT_USERNAME": "",
   "REDHAT_PASSWORD": "",