diff --git a/.env.example b/.env.example
index 83ceca6..ef359e4 100644
--- a/.env.example
+++ b/.env.example
@@ -7,6 +7,11 @@ NEXT_PUBLIC_API_URL="http://localhost:8000/api"
 
 AGENT_RECURSION_LIMIT=30
 
+# CORS settings
+# Comma-separated list of allowed origins for CORS requests
+# Example: ALLOWED_ORIGINS=http://localhost:3000,http://example.com
+ALLOWED_ORIGINS=http://localhost:3000
+
 # Search Engine, Supported values: tavily (recommended), duckduckgo, brave_search, arxiv
 SEARCH_API=tavily
 TAVILY_API_KEY=tvly-xxx
diff --git a/src/server/app.py b/src/server/app.py
index bfcddd2..7b07758 100644
--- a/src/server/app.py
+++ b/src/server/app.py
@@ -53,12 +53,17 @@ app = FastAPI(
 )
 
 # Add CORS middleware
+# It's recommended to load the allowed origins from an environment variable
+# for better security and flexibility across different environments.
+allowed_origins_str = os.getenv("ALLOWED_ORIGINS", "http://localhost:3000")
+allowed_origins = [origin.strip() for origin in allowed_origins_str.split(",")]
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # Allows all origins
+    allow_origins=allowed_origins,  # Restrict to specific origins
     allow_credentials=True,
-    allow_methods=["*"],  # Allows all methods
-    allow_headers=["*"],  # Allows all headers
+    allow_methods=["GET", "POST"],  # Be specific about allowed methods
+    allow_headers=["Content-Type", "Authorization", "X-Requested-With"],  # Be specific
 )
 
 graph = build_graph_with_memory()