diff --git a/workflow/packages/backend/api/src/app/server.ts b/workflow/packages/backend/api/src/app/server.ts
index 848ced9d..f62d004f 100644
--- a/workflow/packages/backend/api/src/app/server.ts
+++ b/workflow/packages/backend/api/src/app/server.ts
@@ -74,10 +74,31 @@ async function setupBaseApp(): Promise<FastifyInstance> {
 
     await app.register(formBody, { parser: (str) => qs.parse(str) })
     app.setErrorHandler(errorHandler)
+    
+    // FIX: CORS misconfiguration - Use specific allowed origins instead of wildcard
+    // This prevents cross-origin data theft from authenticated sessions
+    // Related to Issue #356
+    const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(',') || [
+        'https://app.aixblock.io',
+        'https://workflow-live.aixblock.io',
+    ];
+    
     await app.register(cors, {
-        origin: '*',
+        origin: (origin, callback) => {
+            // Allow requests with no origin (like mobile apps or curl requests)
+            if (!origin) {
+                return callback(null, true);
+            }
+            
+            if (allowedOrigins.includes(origin)) {
+                callback(null, true);
+            } else {
+                callback(new Error('Not allowed by CORS'), false);
+            }
+        },
+        credentials: true,
         exposedHeaders: ['*'],
-        methods: ['*'],
+        methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
     })
     // SurveyMonkey
     app.addContentTypeParser(