There are a few different options. One is to use secrets.yml file. There you can define different values per environment, let's say:

development:
  allowed_origins:
    - http://localhost:4200

production:
  allowed_origins:
    - http://productionurl1.com
    - http://productionurl2.com

Then in your configuration file you can do

module Api
  Rails.application.config.middleware.insert_before 0, Rack::Cors do
    allow do
      origins Rails.application.secrets.allowed_origins
    end
  end
end

Another option (taken from the comments) is to use the environment files, eg:

development.rb

config.allowed_cors_origins = ["http://localhost:4200"]

Then in the cors.rb initializer you can do:

Rails.application.config.allowed_cors_origins 

(since initializer will be called after the environment config file, this should work).

For anyone using rails 5.2, secrets.yml has been changed and now we need to use credentials. In order to use that, we need to edit config/credentials.yml.enc First, run the command EDITOR="atom --wait" rails credentials:edit (using the editor of your choosing). Then, add the origins as the accepted answer suggests:

development:
  allowed_origins:
   - http://localhost:4200

production:
  allowed_origins:
   - http://productionurl1.com
   - http://productionurl2.com

Save the file. Now the allowed origins variables will be in the encrypted file. And then in the cors initializer (in my case it was in application.rb)

config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins Rails.application.credentials[Rails.env.to_sym][:allowed_origins]
    resource '*',
    headers: :any,
    expose: ['access-token', 'expiry', 'token-type', 'uid', 'client'],
    methods: [:get, :post, :options, :delete, :put]
  end
end