diff --git a/docker-compose.production.yml b/docker-compose.production.yml
index 58e878b..ce695b2 100644
--- a/docker-compose.production.yml
+++ b/docker-compose.production.yml
@@ -30,6 +30,7 @@ services:
       - PORT=80
       - REDIS_URL=redis://redis:6379
       - COTURN_ENABLED=true
+      # - API_ORIGINS=https://example.com,https://app.example.com:3000
     networks:
       - filepizza
     depends_on:
diff --git a/docker-compose.yml b/docker-compose.yml
index 0d59499..cda51f9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -30,6 +30,7 @@ services:
     environment:
       - PORT=8080
       - REDIS_URL=redis://redis:6379
+      # - API_ORIGINS=https://example.com,https://app.example.com:3000,http://localhost:8081
     networks:
       - filepizza
     depends_on:
diff --git a/src/middleware.ts b/src/middleware.ts
new file mode 100644
index 0000000..5559c05
--- /dev/null
+++ b/src/middleware.ts
@@ -0,0 +1,24 @@
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+
+export function middleware(request: NextRequest) {
+  const response = NextResponse.next()
+
+  const allowedOrigins = process.env.API_ORIGINS ? process.env.API_ORIGINS.split(',') : []
+  const origin = request.headers.get('origin')
+
+  if (allowedOrigins.includes('*')) {
+    response.headers.set('Access-Control-Allow-Origin', '*')
+  } else if (origin && allowedOrigins.includes(origin)) {
+    response.headers.set('Access-Control-Allow-Origin', origin)
+  }
+
+  response.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, DELETE')
+  response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization')
+
+  return response
+}
+
+export const config = {
+    matcher: ['/:path*']
+}
\ No newline at end of file