diff --git a/config.json b/config.json
index 4afb0c4..4411f61 100644
--- a/config.json
+++ b/config.json
@@ -2,7 +2,8 @@
   "development": {
     "server": {
       "port": 9090,
-      "logLevel": "trace"
+      "logLevel": "trace",
+      "corsOrigins": ["https://web.farmcontrol.app", "https://dev.tombutcher.work", "http://localhost:5173", "http://localhost:3000"]
     },
     "auth": {
       "enabled": true,
diff --git a/src/socket/socketmanager.js b/src/socket/socketmanager.js
index f83e1c5..32ddfdd 100644
--- a/src/socket/socketmanager.js
+++ b/src/socket/socketmanager.js
@@ -21,11 +21,20 @@ export class SocketManager {
     this.templateManager = new TemplateManager(this);
 
     // Use the provided HTTP server
-    // Create Socket.IO server
+    // Create Socket.IO server - CORS applies to HTTP long-polling transport
+    const allowedOrigins = config.server.corsOrigins || ['*'];
     const io = new Server(server, {
       cors: {
-        origin: config.server.corsOrigins || '*',
-        methods: ['GET', 'POST']
+        origin: (origin, callback) => {
+          // Allow requests with no origin (e.g. same-origin, Postman, native apps)
+          if (!origin) return callback(null, true);
+          if (allowedOrigins.includes('*')) return callback(null, true);
+          if (allowedOrigins.includes(origin)) return callback(null, origin);
+          callback(new Error('CORS not allowed'));
+        },
+        methods: ['GET', 'POST'],
+        credentials: true,
+        allowedHeaders: ['Content-Type', 'Authorization']
       }
     });