diff --git a/backend/.env.example b/backend/.env.example
new file mode 100644
index 00000000..70a19cf4
--- /dev/null
+++ b/backend/.env.example
@@ -0,0 +1,14 @@
+# Server
+PORT=5000
+NODE_ENV=development
+
+# MongoDB
+MONGO_URI=mongodb://127.0.0.1:27017/github_tracker
+
+# Session
+SESSION_SECRET=your_session_secret_here
+
+# CORS — comma-separated list of allowed frontend origins
+# In production, set this to your actual frontend URL(s).
+# If not set, defaults to http://localhost:5173
+ALLOWED_ORIGINS=http://localhost:5173
diff --git a/backend/server.js b/backend/server.js
index 48d6ccfb..6acec26f 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -13,13 +13,19 @@ const logger = require('./logger');
 
 const app = express();
 
-// CORS configuration
-const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
+// CORS configuration — allowed origins are read from the ALLOWED_ORIGINS env var
+// (comma-separated). Falls back to localhost for local development.
+const parsedOrigins = process.env.ALLOWED_ORIGINS
+    ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim()).filter(Boolean)
+    : [];
+const allowedOrigins = parsedOrigins.length > 0 ? parsedOrigins : ['http://localhost:5173'];
+
 app.use(cors({
     origin: function (origin, callback) {
+        // Allow requests with no origin (e.g. server-to-server, curl, mobile apps)
         if (!origin || allowedOrigins.indexOf(origin) !== -1) {
             callback(null, true);
-        } else{
+        } else {
             callback(new Error('Blocked by CORS policy'));
         }
     },