diff --git a/src/main/java/com/endlesshorses/oot/custom/config/CorsConfig.java b/src/main/java/com/endlesshorses/oot/custom/config/CorsConfig.java
new file mode 100644
index 0000000..545eec5
--- /dev/null
+++ b/src/main/java/com/endlesshorses/oot/custom/config/CorsConfig.java
@@ -0,0 +1,20 @@
+package com.endlesshorses.oot.custom.config;
+
+import java.util.List;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConfigurationProperties(prefix = "cors")
+public class CorsConfig {
+	private List<String> allowedOrigins;
+
+	public List<String> getAllowedOrigins() {
+		return allowedOrigins;
+	}
+
+	public void setAllowedOrigins(List<String> allowedOrigins) {
+		this.allowedOrigins = allowedOrigins;
+	}
+}
diff --git a/src/main/java/com/endlesshorses/oot/custom/config/CorsFilter.java b/src/main/java/com/endlesshorses/oot/custom/config/CorsFilter.java
index 348f3b6..e42c370 100644
--- a/src/main/java/com/endlesshorses/oot/custom/config/CorsFilter.java
+++ b/src/main/java/com/endlesshorses/oot/custom/config/CorsFilter.java
@@ -1,6 +1,8 @@
 package com.endlesshorses.oot.custom.config;
 
 import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
 
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
@@ -14,11 +16,13 @@
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
 
 @Component
 @Order(Ordered.HIGHEST_PRECEDENCE)
+@RequiredArgsConstructor
 public class CorsFilter implements Filter {
-    private Object Ordered;
+    private final CorsConfig corsConfig;
 
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
@@ -35,12 +39,18 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
 
-        response.setHeader("Access-Control-Allow-Origin", "*");
-        response.setHeader("Access-Control-Allow-Credentials", "true");
-        response.setHeader("Access-Control-Allow-Methods", "*");
-        response.setHeader("Access-Control-Max-Age", "3600");
-        response.setHeader("Access-Control-Allow-Headers",
-                "Origin, X-Requested-With, Content-Type, Accept, Authorization");
+        String origin = request.getHeader("Origin");
+
+        System.out.println(corsConfig.getAllowedOrigins());
+
+        if (corsConfig.getAllowedOrigins().contains(origin)) {
+            response.setHeader("Access-Control-Allow-Origin", origin);
+            response.setHeader("Access-Control-Allow-Credentials", "true");
+            response.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS, PUT, PATCH, DELETE");
+            response.setHeader("Access-Control-Max-Age", "3600");
+            response.setHeader("Access-Control-Allow-Headers",
+                    "Origin, X-Requested-With, Content-Type, Accept, Authorization");
+        }
 
         if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
             response.setStatus(HttpServletResponse.SC_OK);