diff --git a/server.js b/server.js
index 55f105a..e7661fe 100644
--- a/server.js
+++ b/server.js
@@ -21,7 +21,25 @@ const filesRouter = require('./routes/files');
 const app = express();
 const PORT = 3002;
 
-app.use(cors());
+// CORS mit Whitelist und tolerantem Fallback für fehlende Origin-Header
+const allowedOrigins = (process.env.ALLOWED_ORIGINS || '')
+  .split(',')
+  .map(s => s.trim())
+  .filter(Boolean);
+
+app.use(cors({
+  origin: (origin, callback) => {
+    if (!origin) return callback(null, true); // z.B. Healthchecks/curl/Server-zu-Server
+    if (allowedOrigins.length === 0) return callback(null, true); // Fallback: alles erlauben
+    if (allowedOrigins.includes(origin)) return callback(null, true);
+    return callback(new Error('Not allowed by CORS'), false);
+  },
+  credentials: true,
+  methods: ['GET','POST','PUT','PATCH','DELETE','OPTIONS'],
+  allowedHeaders: ['Content-Type','Authorization']
+}));
+app.options('*', cors());
+
 app.use(bodyParser.json());
 
 app.use('/api/auth', authRouter);