diff --git a/SECURITY.md b/SECURITY.md
index 6c5ef20..7ab9a66 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -34,13 +34,15 @@ This application requires environment variables for configuration. **Never commi
 ### Production Deployment Security
 
 #### CORS Configuration
-The application includes security-hardened CORS configuration. Update the `allowed_origins` list in `src/mcpmc/main.py` to include only your trusted domains:
+The application automatically configures CORS origins based on your `DOMAIN` environment variable:
 
-```python
-allowed_origins = [
-    "https://yourdomain.com",
-    "https://api.yourdomain.com",
-]
+- Development: Allows localhost origins for testing
+- Production: Uses `https://{DOMAIN}` and `https://api.{DOMAIN}`
+- Security: Automatically removes localhost origins in production environments
+
+Set your `DOMAIN` environment variable to configure CORS automatically:
+```bash
+DOMAIN=mcpmc.yourdomain.com
 ```
 
 #### SSL/TLS
diff --git a/src/mcpmc/main.py b/src/mcpmc/main.py
index 649d6be..9be5e60 100644
--- a/src/mcpmc/main.py
+++ b/src/mcpmc/main.py
@@ -34,12 +34,21 @@ app = FastAPI(
 )
 
 # Security-hardened CORS configuration for production
+import os
+
+# Build allowed origins from environment
+domain = os.getenv('DOMAIN', 'localhost')
 allowed_origins = [
     "http://localhost:3000",  # Development frontend
     "http://localhost:8080",  # Alternative dev port
-    "https://mcpmc.yourdomain.com",  # Production domain (replace with actual)
+    f"https://{domain}",      # Production frontend
+    f"https://api.{domain}",  # Production API
 ]
 
+# Remove localhost origins in production
+if domain != 'localhost' and not domain.endswith('.local'):
+    allowed_origins = [origin for origin in allowed_origins if 'localhost' not in origin]
+
 app.add_middleware(
     CORSMiddleware,
     allow_origins=allowed_origins,  # Restricted to specific domains