diff --git a/app/backend/.env.example b/app/backend/.env.example
index f96a39dc..7e6f1515 100644
--- a/app/backend/.env.example
+++ b/app/backend/.env.example
@@ -25,6 +25,10 @@ REDIS_PORT=6379
 # ── Frontend URL (for CORS and OAuth redirects) ─────────────────────────────
 FRONTEND_URL=http://localhost:3000
 
+# ── CORS ─────────────────────────────────────────────────────────────────────
+# Comma-separated list of allowed origins. credentials are only passed for listed origins.
+ALLOWED_ORIGINS=http://localhost:3000
+
 # ── JWT / Auth ───────────────────────────────────────────────────────────────
 JWT_SECRET=change-me-to-a-random-secret
 REFRESH_TOKEN_SECRET=change-me-to-another-random-secret
diff --git a/app/backend/src/main.ts b/app/backend/src/main.ts
index 5f9c9419..3e95a12d 100644
--- a/app/backend/src/main.ts
+++ b/app/backend/src/main.ts
@@ -16,6 +16,25 @@ async function bootstrap() {
   const app = await NestFactory.create(AppModule);
   configureAppSecurity(app);
 
+  // Configure CORS with env-driven allowed origins
+  const allowedOrigins = (process.env.ALLOWED_ORIGINS ?? '')
+    .split(',')
+    .map((o) => o.trim())
+    .filter(Boolean);
+
+  app.enableCors({
+    origin: (origin, callback) => {
+      // Allow requests with no origin (e.g. server-to-server, curl)
+      if (!origin) return callback(null, true);
+      if (allowedOrigins.includes(origin)) {
+        return callback(null, true);
+      }
+      return callback(null, false);
+    },
+    credentials: true,
+    methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+  });
+
   // app.enableVersioning({...});
 
   setupOpenApiDocs(app);