diff --git a/backend/.env.example b/backend/.env.example
index dd22d44..be99c9c 100755
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -27,10 +27,7 @@ BACKEND_HOST=localhost:8521
 ENV=development
 
 # CORS Origins (comma-separated)
-# Development:
-# CORS_ORIGINS=http://localhost:3000,http://localhost:8963
-# Production:
-CORS_ORIGINS=https://gohorsejobs.com,https://gohorsejobs-dev.appwrite.network,https://api-dev2.gohorsejobs.com
+CORS_ORIGINS=http://localhost:3000,http://localhost:8963
 
 # =============================================================================
 # Cloudflare API (for cache management)
diff --git a/backoffice/.env.example b/backoffice/.env.example
index dbd1ca0..78df283 100644
--- a/backoffice/.env.example
+++ b/backoffice/.env.example
@@ -7,6 +7,9 @@ BACKOFFICE_PORT=3001
 BACKOFFICE_HOST=0.0.0.0
 NODE_ENV=development
 
+# CORS Origins (comma-separated)
+CORS_ORIGINS=https://gohorsejobs.com,https://gohorsejobs-dev.appwrite.network,https://api-dev2.gohorsejobs.com
+
 # =============================================================================
 # Stripe
 # =============================================================================
diff --git a/backoffice/src/main.ts b/backoffice/src/main.ts
index df0708e..1b7c1f8 100644
--- a/backoffice/src/main.ts
+++ b/backoffice/src/main.ts
@@ -38,12 +38,12 @@ async function bootstrap() {
   // CORS configuration (Fastify-native)
   app.enableCors({
     origin: (origin, callback) => {
+      // Parse CORS_ORIGINS from env (comma-separated)
+      const envOrigins = process.env.CORS_ORIGINS?.split(',').map(o => o.trim()) || [];
       const allowedOrigins = [
         'http://localhost:3000',
         'http://localhost:8963',
-        'https://gohorsejobs.com',
-        'https://admin.gohorsejobs.com',
-        process.env.FRONTEND_URL,
+        ...envOrigins,
       ].filter(Boolean);
 
       if (!origin || allowedOrigins.includes(origin)) {