diff --git a/packages/backend/src/utils/cors.ts b/packages/backend/src/utils/cors.ts
index 0ec1b375..bc4392ac 100644
--- a/packages/backend/src/utils/cors.ts
+++ b/packages/backend/src/utils/cors.ts
@@ -3,8 +3,13 @@ import { Context, Next } from "koa"
 import { createMiddleware } from "./middleware"
 
 async function patchedCors(ctx: Context, next: Next) {
+  const origin =
+    process.env.NODE_ENV !== "production"
+      ? ctx.get("Origin") || "*"
+      : process.env.APP_URL!
+
   if (ctx.method === "options") {
-    ctx.set("Access-Control-Allow-Origin", ctx.get("Origin") || "*")
+    ctx.set("Access-Control-Allow-Origin", origin)
     ctx.set("Access-Control-Allow-Methods", "GET, POST, PATCH, OPTIONS, DELETE")
     ctx.set("Access-Control-Allow-Credentials", "true")
     ctx.set(
@@ -14,10 +19,9 @@ async function patchedCors(ctx: Context, next: Next) {
     ctx.status = 204
     return
   }
+
   await cors({
-    origin(ctx) {
-      return ctx.get("Origin") || "*"
-    },
+    origin,
     credentials: true,
     allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
     allowHeaders: ["Content-Type", "Authorization", "Accept"],