diff --git a/backend/.env.sample b/backend/.env.sample
index 98f96881..fb332065 100644
--- a/backend/.env.sample
+++ b/backend/.env.sample
@@ -1,3 +1,5 @@
 PORT=5000
 MONGO_URI=mongodb://localhost:27017/githubTracker
 SESSION_SECRET=your-secret-key
+# Comma-separated list of allowed frontend origins
+ALLOWED_ORIGINS=http://localhost:5173
diff --git a/backend/server.js b/backend/server.js
index 3f19f00b..4b8906a6 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -11,8 +11,24 @@ require('./config/passportConfig');
 
 const app = express();
 
-// CORS configuration
-app.use(cors('*'));
+// CORS — restrict to known frontend origins only
+const allowedOrigins = (process.env.ALLOWED_ORIGINS || 'http://localhost:5173')
+    .split(',')
+    .map(o => o.trim());
+
+app.use(cors({
+    origin: (origin, callback) => {
+        // Allow server-to-server requests (no Origin header) and explicit allowlist
+        if (!origin || allowedOrigins.includes(origin)) {
+            callback(null, true);
+        } else {
+            callback(new Error('Not allowed by CORS'));
+        }
+    },
+    credentials: true,
+    methods: ['GET', 'POST'],
+    allowedHeaders: ['Content-Type'],
+}));
 
 // Middleware
 app.use(bodyParser.json());