diff --git a/actix-cors/CHANGES.md b/actix-cors/CHANGES.md
index ad651ed70..b19b21f19 100644
--- a/actix-cors/CHANGES.md
+++ b/actix-cors/CHANGES.md
@@ -1,6 +1,9 @@
 # Changes
 
 ## Unreleased - 2020-xx-xx
+* Disallow `*` in `Cors::allowed_origin` by panicking. [#114].
+
+[#114]: https://github.com/actix/actix-extras/pull/114
 
 
 ## 0.4.1 - 2020-10-07
diff --git a/actix-cors/src/builder.rs b/actix-cors/src/builder.rs
index a72fa03ab..4a08387ca 100644
--- a/actix-cors/src/builder.rs
+++ b/actix-cors/src/builder.rs
@@ -115,10 +115,18 @@ impl Cors {
     /// `allowed_origin_fn` function is set, these functions will be used to determinate
     /// allowed origins.
     ///
-    /// Builder panics if supplied origin is not valid uri.
+    /// # Panics
+    ///
+    /// * If supplied origin is not valid uri, or
+    /// * If supplied origin is a wildcard (`*`). [`Cors::send_wildcard`] should be used instead.
     ///
     /// [Fetch Standard]: https://fetch.spec.whatwg.org/#origin-header
     pub fn allowed_origin(mut self, origin: &str) -> Cors {
+        assert!(
+            origin != "*",
+            "Wildcard in `allowed_origin` is not allowed. Use `send_wildcard`."
+        );
+
         if let Some(cors) = cors(&mut self.cors, &self.error) {
             match TryInto::<Uri>::try_into(origin) {
                 Ok(_) => {
diff --git a/actix-cors/tests/tests.rs b/actix-cors/tests/tests.rs
index 9ad761e38..dabb5c695 100644
--- a/actix-cors/tests/tests.rs
+++ b/actix-cors/tests/tests.rs
@@ -10,6 +10,17 @@ use regex::bytes::Regex;
 
 use actix_cors::Cors;
 
+#[actix_rt::test]
+#[should_panic]
+async fn test_wildcard_origin() {
+    Cors::new()
+        .allowed_origin("*")
+        .finish()
+        .new_transform(test::ok_service())
+        .await
+        .unwrap();
+}
+
 #[actix_rt::test]
 async fn test_not_allowed_origin_fn() {
     let mut cors = Cors::new()