diff --git a/cognee/api/.env.example b/cognee/api/.env.example
new file mode 100644
index 000000000..1e06871df
--- /dev/null
+++ b/cognee/api/.env.example
@@ -0,0 +1,5 @@
+# Comma-separated list of allowed origins for CORS (leave empty to block all cross-origin requests)
+# Example:
+# CORS_ALLOWED_ORIGINS="https://yourdomain.com,https://another.com"
+# For local development, you might use:
+# CORS_ALLOWED_ORIGINS="http://localhost:3000"
\ No newline at end of file
diff --git a/cognee/api/client.py b/cognee/api/client.py
index c504690e4..960677f78 100644
--- a/cognee/api/client.py
+++ b/cognee/api/client.py
@@ -67,13 +67,22 @@ async def lifespan(app: FastAPI):
 app = FastAPI(debug=app_environment != "prod", lifespan=lifespan)
 
 
+# Read allowed origins from environment variable (comma-separated)
+CORS_ALLOWED_ORIGINS = os.getenv("CORS_ALLOWED_ORIGINS")
+if CORS_ALLOWED_ORIGINS:
+    allowed_origins = [origin.strip() for origin in CORS_ALLOWED_ORIGINS.split(",") if origin.strip()]
+else:
+    allowed_origins = []  # Block all except explicitly set origins
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["http://localhost:3000", "http://127.0.0.1:3000"],
+    allow_origins=allowed_origins,  # Now controlled by env var
     allow_credentials=True,
     allow_methods=["OPTIONS", "GET", "POST", "DELETE"],
     allow_headers=["*"],
 )
+# To allow origins, set CORS_ALLOWED_ORIGINS env variable to a comma-separated list, e.g.:
+# CORS_ALLOWED_ORIGINS="https://yourdomain.com,https://another.com"
 
 
 def custom_openapi():