diff --git a/src/Umbraco.Core/Help/HelpPageSettings.cs b/src/Umbraco.Core/Help/HelpPageSettings.cs
new file mode 100644
index 0000000000..d2a4a3a0f5
--- /dev/null
+++ b/src/Umbraco.Core/Help/HelpPageSettings.cs
@@ -0,0 +1,12 @@
+using System.Configuration;
+
+namespace Umbraco.Core.Help
+{
+    public class HelpPageSettings : IHelpPageSettings
+    {
+        public string HelpPageUrlAllowList =>
+            ConfigurationManager.AppSettings.ContainsKey(Constants.AppSettings.HelpPageUrlAllowList)
+                ? ConfigurationManager.AppSettings[Constants.AppSettings.HelpPageUrlAllowList]
+                : null;
+    }
+}
diff --git a/src/Umbraco.Core/Help/IHelpPageSettings.cs b/src/Umbraco.Core/Help/IHelpPageSettings.cs
new file mode 100644
index 0000000000..5643e47a30
--- /dev/null
+++ b/src/Umbraco.Core/Help/IHelpPageSettings.cs
@@ -0,0 +1,10 @@
+namespace Umbraco.Core.Help
+{
+    public interface IHelpPageSettings
+    {
+        /// <summary>
+        /// Gets the allowed addresses to retrieve data for the help page.
+        /// </summary>
+        string HelpPageUrlAllowList { get; }
+    }
+}
diff --git a/src/Umbraco.Web.BackOffice/Controllers/HelpController.cs b/src/Umbraco.Web.BackOffice/Controllers/HelpController.cs
index 3bc45703fa..ecec8f864d 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/HelpController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/HelpController.cs
@@ -1,10 +1,11 @@
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Net.Http;
 using System.Runtime.Serialization;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Core.Help;
 using Constants = Umbraco.Cms.Core.Constants;
 
 namespace Umbraco.Cms.Web.BackOffice.Controllers
@@ -13,8 +14,10 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
     public class HelpController : UmbracoAuthorizedJsonController
     {
         private readonly ILogger<HelpController> _logger;
+        private readonly IHelpPageSettings _helpPageSettings;
 
-        public HelpController(ILogger<HelpController> logger)
+        public HelpController(ILogger<HelpController> logger,
+            IHelpPageSettings helpPageSettings)
         {
             _logger = logger;
         }
@@ -22,6 +25,12 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
         private static HttpClient _httpClient;
         public async Task<List<HelpPage>> GetContextHelpForPage(string section, string tree, string baseUrl = "https://our.umbraco.com")
         {
+            if (IsAllowedUrl(baseUrl) is false)
+            {
+                Logger.Error<HelpController>($"The following URL is not listed in the allowlist for HelpPage in web.config: {baseUrl}");
+                throw new HttpResponseException(Request.CreateErrorResponse(HttpStatusCode.BadRequest, "HelpPage source not permitted"));
+            }
+
             var url = string.Format(baseUrl + "/Umbraco/Documentation/Lessons/GetContextHelpDocs?sectionAlias={0}&treeAlias={1}", section, tree);
 
             try
@@ -44,6 +53,17 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
 
             return new List<HelpPage>();
         }
+
+        private bool IsAllowedUrl(string url)
+        {
+            if (string.IsNullOrEmpty(_helpPageSettings.HelpPageUrlAllowList) ||
+                _helpPageSettings.HelpPageUrlAllowList.Contains(url))
+            {
+                return true;
+            }
+
+            return false;
+        }
     }
 
     [DataContract(Name = "HelpPage")]