diff --git a/backend/config.py b/backend/config.py
index e25ee8d..e4aeb22 100644
--- a/backend/config.py
+++ b/backend/config.py
@@ -9,5 +9,8 @@ SECRET_KEY = os.getenv("SECRET_KEY", "airlabs-project-secret-key-change-in-produ
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 24  # 24 小时
 
+# CORS
+CORS_ORIGINS = os.getenv("CORS_ORIGINS", "*").split(",")
+
 # 成本计算
 WORKING_DAYS_PER_MONTH = 22
diff --git a/backend/main.py b/backend/main.py
index ffccbdc..58e34dd 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -13,10 +13,11 @@ Base.metadata.create_all(bind=engine)
 
 app = FastAPI(title="AirLabs Project", version="1.0.0")
 
-# CORS（开发阶段允许所有来源）
+# CORS
+from config import CORS_ORIGINS
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=CORS_ORIGINS,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
diff --git a/k8s/backend-deployment-prod.yaml b/k8s/backend-deployment-prod.yaml
index 244dea2..94c48ab 100644
--- a/k8s/backend-deployment-prod.yaml
+++ b/k8s/backend-deployment-prod.yaml
@@ -39,6 +39,9 @@ spec:
         # 生产环境 JWT 密钥（部署前请修改）
         - name: SECRET_KEY
           value: "Ui5-xEvtAhKRDtlXKzDfd7TElsVZFUhakff0qcjn8jU"
+        # CORS 允许的域名
+        - name: CORS_ORIGINS
+          value: "https://airlabs-manage-web.airlabs.art"
         volumeMounts:
         - name: sqlite-data
           mountPath: /app/data