diff --git a/README.md b/README.md
index 9d49a11..11e389c 100644
--- a/README.md
+++ b/README.md
@@ -184,4 +184,19 @@ Once the application is running, you can access the API documentation at:
 
 ## Database
 
-The application uses SQLite as the database. The database file is created at `/app/storage/db/db.sqlite`.
\ No newline at end of file
+The application uses SQLite as the database. The database file is created at `/app/storage/db/db.sqlite`.
+
+## CORS Configuration
+
+The API has CORS (Cross-Origin Resource Sharing) enabled with the following configuration:
+
+- Allowed origins: 
+  - http://localhost
+  - http://localhost:3000
+  - https://v0-ecommerce-app-build-swart.vercel.app
+  - *
+
+- Allowed methods: GET, POST, PUT, DELETE, OPTIONS, PATCH
+- Allowed headers: Content-Type, Authorization, Accept, Origin, X-Requested-With, X-CSRF-Token
+- Exposed headers: Content-Length
+- Max age for preflight requests: 600 seconds (10 minutes)
\ No newline at end of file
diff --git a/app/core/config.py b/app/core/config.py
index 9906270..5544e0f 100644
--- a/app/core/config.py
+++ b/app/core/config.py
@@ -23,7 +23,12 @@ class Settings(BaseSettings):
     SQLALCHEMY_DATABASE_URL: str = f"sqlite:///{DB_DIR}/db.sqlite"
     
     # CORS settings
-    CORS_ORIGINS: List[str] = ["*"]
+    CORS_ORIGINS: List[str] = [
+        "http://localhost",
+        "http://localhost:3000",
+        "https://v0-ecommerce-app-build-swart.vercel.app",
+        "*"
+    ]
     
     # Security settings
     PASSWORD_HASH_ROUNDS: int = 12
diff --git a/main.py b/main.py
index 5f16b88..fb4d0c6 100644
--- a/main.py
+++ b/main.py
@@ -17,10 +17,12 @@ app = FastAPI(
 # Set up CORS
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=settings.CORS_ORIGINS,
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"],
+    allow_headers=["Content-Type", "Authorization", "Accept", "Origin", "X-Requested-With", "X-CSRF-Token"],
+    expose_headers=["Content-Length"],
+    max_age=600,  # 10 minutes cache for preflight requests
 )
 
 # Include API router