diff --git a/.github/workflows/google-cloudrun-docker.yml b/.github/workflows/google-cloudrun-docker.yml
index b3a2cdd..a683d12 100644
--- a/.github/workflows/google-cloudrun-docker.yml
+++ b/.github/workflows/google-cloudrun-docker.yml
@@ -63,6 +63,7 @@ jobs:
           region: '${{ env.REGION }}'
           image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.BACKEND_SERVICE }}:${{ github.sha }}'
           env_vars: |
+            ENVIRONMENT=production
             AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
             AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
             AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
diff --git a/backend/main.py b/backend/main.py
index bdb8853..de1292e 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -1,3 +1,4 @@
+import os
 import uvicorn
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
@@ -5,14 +6,50 @@
 
 app = FastAPI()
 
+# Configure CORS origins based on environment
+# Check for production indicators
+is_production = (
+    os.getenv("ENVIRONMENT") == "production"
+    or os.getenv("K_SERVICE") is not None  # Google Cloud Run
+)
+
+if is_production:
+    # Production: Only allow specific origins
+    allowed_origins = [
+        "https://querypal.virtonomy.io",  # Production frontend
+        "https://querypal-frontend-zynyyoxona-ew.a.run.app",  # Cloud Run frontend URL (pattern)
+        # Add your actual Cloud Run frontend URL when you know it
+    ]
+else:
+    # Development: Allow localhost origins
+    allowed_origins = [
+        "http://localhost:8000",
+        "http://localhost:5173",
+        "http://127.0.0.1:8000",
+        "http://127.0.0.1:5173",
+    ]
+
+print(f"🔧 CORS Configuration - Production mode: {is_production}")
+print(f"🌐 Allowed origins: {allowed_origins}")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=allowed_origins,
     allow_credentials=True,
-    allow_methods=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allow_headers=["*"],
 )
 
+
+@app.get("/health")
+async def health_check():
+    """Health check endpoint."""
+    return {
+        "status": "healthy",
+        "cors_production_mode": is_production,
+    }
+
+
 app.include_router(query.router, prefix="/query", tags=["Query"])
 app.include_router(azure.router, prefix="/azure", tags=["Azure"])
 app.include_router(system.router, prefix="/system", tags=["System"])