diff --git a/src/startup.rs b/src/startup.rs
index c0cee45..48bc821 100644
--- a/src/startup.rs
+++ b/src/startup.rs
@@ -80,11 +80,22 @@ impl From<Application> for RunnableApplication {
             // Use very high limits to effectively disable rate limiting
             RateLimitConfig::new(u32::MAX, 1)
         };
-
+        let frontend_url = value.settings.frontend_url.clone();
+        let cors = if value.settings.debug {
+            Cors::new()
+        } else {
+            if !cfg!(test) {
+                assert!(
+                    !frontend_url.is_empty(),
+                    "CORS: frontend_url must be configured in production"
+                );
+            }
+            Cors::new().allow_origin(frontend_url)
+        };
         let app = value
             .app
             .with(RateLimit::new(&rate_limit_config))
-            .with(Cors::new())
+            .with(cors)
             .data(value.settings);
 
         let server = value.server;