diff --git a/web/src/main/java/org/phoenixctms/ctsms/web/jersey/provider/TrustedHostFilter.java b/web/src/main/java/org/phoenixctms/ctsms/web/jersey/provider/TrustedHostFilter.java
index 531727d45916..a1d44f84e495 100644
--- a/web/src/main/java/org/phoenixctms/ctsms/web/jersey/provider/TrustedHostFilter.java
+++ b/web/src/main/java/org/phoenixctms/ctsms/web/jersey/provider/TrustedHostFilter.java
@@ -1,5 +1,7 @@
 package org.phoenixctms.ctsms.web.jersey.provider;
 
+import java.util.regex.Pattern;
+
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.ext.Provider;
@@ -25,12 +27,15 @@ public class TrustedHostFilter extends ExceptionMapperBase implements ContainerR
 
 	@Override
 	public ContainerRequest filter(ContainerRequest request) {
-		if (Settings.getBoolean(SettingCodes.API_TRUSTED_HOSTS_ONLY, Bundle.SETTINGS, DefaultSettings.API_TRUSTED_HOSTS_ONLY) && !WebUtil.isTrustedHost(this.request)) {
-			AuthorisationException ex = new AuthorisationException(Messages.getMessage(MessageCodes.HOST_NOT_ALLOWED_OR_UNKNOWN_HOST, WebUtil.getRemoteHost(this.request)));
-			ex.setErrorCode(AuthorisationExceptionCodes.HOST_NOT_ALLOWED_OR_UNKNOWN_HOST);
-			throw new WebApplicationException(ex);
-		} else {
-			return request;
+		if (Settings.getBoolean(SettingCodes.API_TRUSTED_HOSTS_ONLY, Bundle.SETTINGS, DefaultSettings.API_TRUSTED_HOSTS_ONLY)) { // && !WebUtil.isTrustedHost(this.request)) {
+			Pattern whitelistRegExp = Settings.getRegexp(SettingCodes.API_TRUSTED_HOSTS_ONLY_WHITELIST_PATH_REGEXP, Bundle.SETTINGS,
+					DefaultSettings.API_TRUSTED_HOSTS_ONLY_WHITELIST_REGEXP);
+			if (whitelistRegExp != null && !whitelistRegExp.matcher(request.getRequestUri().getPath()).find()) {
+				AuthorisationException ex = new AuthorisationException(Messages.getMessage(MessageCodes.HOST_NOT_ALLOWED_OR_UNKNOWN_HOST, WebUtil.getRemoteHost(this.request)));
+				ex.setErrorCode(AuthorisationExceptionCodes.HOST_NOT_ALLOWED_OR_UNKNOWN_HOST);
+				throw new WebApplicationException(ex);
+			}
 		}
+		return request;
 	}
 }
diff --git a/web/src/main/java/org/phoenixctms/ctsms/web/util/DefaultSettings.java b/web/src/main/java/org/phoenixctms/ctsms/web/util/DefaultSettings.java
index 81e2f078898c..058595a393cb 100644
--- a/web/src/main/java/org/phoenixctms/ctsms/web/util/DefaultSettings.java
+++ b/web/src/main/java/org/phoenixctms/ctsms/web/util/DefaultSettings.java
@@ -46,6 +46,7 @@ public final class DefaultSettings {
 	public final static String API_REALM = "api";
 	public final static String API_TITLE = "REST API";
 	public static final boolean API_TRUSTED_HOSTS_ONLY = true;
+	public final static String API_TRUSTED_HOSTS_ONLY_WHITELIST_REGEXP = null; // "/tools";
 	public final static String API_VERSION = "0.0.0";
 	public static final boolean ENABLE_TOOLTIPS = true;
 	public static final boolean TRIAL_STATUS_UPDATE_REQUIRES_PASSWORD = true;
diff --git a/web/src/main/java/org/phoenixctms/ctsms/web/util/SettingCodes.java b/web/src/main/java/org/phoenixctms/ctsms/web/util/SettingCodes.java
index 20b1e15bf5e6..f41386237ac8 100644
--- a/web/src/main/java/org/phoenixctms/ctsms/web/util/SettingCodes.java
+++ b/web/src/main/java/org/phoenixctms/ctsms/web/util/SettingCodes.java
@@ -489,6 +489,7 @@ public interface SettingCodes {
 	public static final String API_REALM = "api_realm";
 	public static final String API_TITLE = "api_title";
 	public static final String API_TRUSTED_HOSTS_ONLY = "api_trusted_hosts_only";
+	public static final String API_TRUSTED_HOSTS_ONLY_WHITELIST_PATH_REGEXP = "api_trusted_hosts_only_whitelist_path_regexp";
 	public static final String API_VERSION = "api_version";
 	public static final String INPUT_FIELD_DELTA_SUMMARY_MAX = "input_field_delta_summary_max";
 	public static final String FIELD_CALCULATION_DEBUG_LEVEL = "field_calculation_debug_level";
diff --git a/web/src/main/java/org/phoenixctms/ctsms/web/util/Settings.java b/web/src/main/java/org/phoenixctms/ctsms/web/util/Settings.java
index 1376e7be5393..31c61dd6ed59 100644
--- a/web/src/main/java/org/phoenixctms/ctsms/web/util/Settings.java
+++ b/web/src/main/java/org/phoenixctms/ctsms/web/util/Settings.java
@@ -11,6 +11,8 @@
 import java.util.MissingResourceException;
 import java.util.ResourceBundle;
 import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
 
 import javax.faces.context.FacesContext;
 import javax.faces.model.SelectItem;
@@ -282,6 +284,19 @@ public static Sex getSex(String key, Bundle bundle, Sex defaultValue) {
 		}
 	}
 
+	public static Pattern getRegexp(String key, Bundle bundle, String defaultValue) {
+		String pattern = CommonUtil.getValue(key, getBundle(bundle), defaultValue);
+		if (pattern != null && pattern.length() > 0) {
+			try {
+				return java.util.regex.Pattern.compile(pattern);
+			} catch (PatternSyntaxException e) {
+				throw new IllegalArgumentException(e);
+			}
+		} else {
+			return null;
+		}
+	}
+
 	public static String getString(String key, Bundle bundle, String defaultValue) {
 		return CommonUtil.getValue(key, getBundle(bundle), defaultValue);
 	}
diff --git a/web/src/main/resources/org/phoenixctms/ctsms/web/settings.properties b/web/src/main/resources/org/phoenixctms/ctsms/web/settings.properties
index 6cd8e3dd2beb..1d55be16125b 100644
--- a/web/src/main/resources/org/phoenixctms/ctsms/web/settings.properties
+++ b/web/src/main/resources/org/phoenixctms/ctsms/web/settings.properties
@@ -29,6 +29,7 @@ api_title=${application.abbreviation} REST API
 api_version=${application.version}
 api_realm=api
 api_trusted_hosts_only=true
+api_trusted_hosts_only_whitelist_path_regexp=
 
 enable_tooltips=true