diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..e074f2a
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,6 @@
+# Example environment variables for the Awesome Overcut monorepo
+# -------------------------------------------------------------
+# Copy this file to `.env` (or another env file) and adjust values as needed.
+
+# Comma-separated list of allowed origins for CORS
+CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:4200
diff --git a/README.md b/README.md
index 707645a..a1e77c1 100644
--- a/README.md
+++ b/README.md
@@ -227,3 +227,16 @@ This project is licensed under the **Apache License 2.0** – see the [LICENSE](
 * Generated with [Amplication](https://amplication.com) – an open-source platform for building Node.js applications.  
 * Built with amazing open-source software:  
   * [NestJS](https://nestjs.com) • [Prisma](https://www.prisma.io) • [React](https://react.dev) • [React-Admin](https://marmelab.com/react-admin/) • and many more.
+
+---
+
+## Configuration
+
+### Environment Variables
+
+The server’s CORS policy can be restricted via the `CORS_ALLOWED_ORIGINS` variable (comma-separated list). If omitted, it defaults to the local dev origins `http://localhost:3000` and `http://localhost:4200`.
+
+```
+# See .env.example for the complete template
+CORS_ALLOWED_ORIGINS=http://admin.example.com,https://app.example.com
+```
diff --git a/apps/hotel-management-service-server/src/main.ts b/apps/hotel-management-service-server/src/main.ts
index 474eead..c657e53 100644
--- a/apps/hotel-management-service-server/src/main.ts
+++ b/apps/hotel-management-service-server/src/main.ts
@@ -13,7 +13,18 @@ import {
 const { PORT = 3000 } = process.env;
 
 async function main() {
-  const app = await NestFactory.create(AppModule, { cors: true });
+  const app = await NestFactory.create(AppModule);
+
+  const allowedOrigins =
+    process.env.CORS_ALLOWED_ORIGINS?.split(',').map(o => o.trim()) ?? [
+      'http://localhost:3000',
+      'http://localhost:4200',
+    ];
+
+  app.enableCors({
+    origin: allowedOrigins,
+    credentials: true,
+  });
 
   app.setGlobalPrefix("api");
   app.useGlobalPipes(
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..2a7bb4a
--- /dev/null
+++ b/package.json
@@ -0,0 +1,7 @@
+{
+  "name": "awesome-overcut-root",
+  "private": true,
+  "scripts": {
+    "lint:cors": "! grep -R --line-number -- '{ cors: true }' apps/*/src/main.ts || (echo 'Error: Disallowed permissive CORS usage found.' && exit 1)"
+  }
+}