diff --git a/__pycache__/server.cpython-312.pyc b/__pycache__/server.cpython-312.pyc
index dd5afa9..250dae2 100644
Binary files a/__pycache__/server.cpython-312.pyc and b/__pycache__/server.cpython-312.pyc differ
diff --git a/server.py b/server.py
index c0562ce..19c14f8 100644
--- a/server.py
+++ b/server.py
@@ -6236,10 +6236,30 @@ async def stripe_webhook(request: Request, db: Session = Depends(get_db)):
 # Include the router in the main app
 app.include_router(api_router)
 
+# CORS Configuration
+cors_origins = os.environ.get('CORS_ORIGINS', '')
+if cors_origins:
+    # Use explicitly configured origins
+    allowed_origins = [origin.strip() for origin in cors_origins.split(',')]
+else:
+    # Default to common development origins if not configured
+    allowed_origins = [
+        "http://localhost:3000",
+        "http://localhost:8000",
+        "http://127.0.0.1:3000",
+        "http://127.0.0.1:8000"
+    ]
+    print(f"⚠️  WARNING: CORS_ORIGINS not set. Using defaults: {allowed_origins}")
+    print("⚠️  For production, set CORS_ORIGINS in .env file!")
+
+print(f"✓ CORS allowed origins: {allowed_origins}")
+
 app.add_middleware(
     CORSMiddleware,
     allow_credentials=True,
-    allow_origins=os.environ.get('CORS_ORIGINS', '*').split(','),
-    allow_methods=["*"],
+    allow_origins=allowed_origins,
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"],
     allow_headers=["*"],
+    expose_headers=["*"],
+    max_age=600,  # Cache preflight requests for 10 minutes
 )
\ No newline at end of file