diff --git a/docker-compose.yml b/docker-compose.yml
index 31d7fc6..57d35d6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,7 @@ services:
     environment:
       - NODE_ENV=production
       - JWT_SECRET=${JWT_SECRET:-change-me-to-a-long-random-string}
-      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-http://localhost:3000}
+      # - ALLOWED_ORIGINS=https://yourdomain.com  # Optional: restrict CORS to specific origins
       - PORT=3000
     volumes:
       - ./data:/app/data
diff --git a/server/src/index.js b/server/src/index.js
index b4330e8..1d25bda 100644
--- a/server/src/index.js
+++ b/server/src/index.js
@@ -21,12 +21,14 @@ const tmpDir = path.join(__dirname, '../data/tmp');
 // Middleware
 const allowedOrigins = process.env.ALLOWED_ORIGINS
   ? process.env.ALLOWED_ORIGINS.split(',')
-  : ['http://localhost:5173', 'http://localhost:3000'];
+  : null;
 app.use(cors({
-  origin: (origin, callback) => {
-    if (!origin || allowedOrigins.includes(origin)) callback(null, true);
-    else callback(new Error('Not allowed by CORS'));
-  },
+  origin: allowedOrigins
+    ? (origin, callback) => {
+        if (!origin || allowedOrigins.includes(origin)) callback(null, true);
+        else callback(new Error('Not allowed by CORS'));
+      }
+    : true,
   credentials: true
 }));
 app.use(express.json());