diff --git a/esphome/dashboard/web_server.py b/esphome/dashboard/web_server.py
index 9ee2312781..33c83ffb1a 100644
--- a/esphome/dashboard/web_server.py
+++ b/esphome/dashboard/web_server.py
@@ -17,6 +17,7 @@ import time
 from collections.abc import Iterable
 from pathlib import Path
 from typing import TYPE_CHECKING, Any, Callable, TypeVar
+from urllib.parse import urlparse
 
 import tornado
 import tornado.concurrent
@@ -166,6 +167,18 @@ class EsphomeCommandWebSocket(tornado.websocket.WebSocketHandler):
         # use Popen() with a reading thread instead
         self._use_popen = os.name == "nt"
 
+    def check_origin(self, origin):
+        if "ESPHOME_TRUSTED_DOMAINS" not in os.environ:
+            return super().check_origin(origin)
+        trusted_domains = [
+            s.strip() for s in os.environ["ESPHOME_TRUSTED_DOMAINS"].split(",")
+        ]
+        url = urlparse(origin)
+        if url.hostname in trusted_domains:
+            return True
+        _LOGGER.info("check_origin %s, domain is not trusted", origin)
+        return False
+
     def open(self, *args: str, **kwargs: str) -> None:
         """Handle new WebSocket connection."""
         # Ensure messages from the subprocess are sent immediately