diff --git a/DbFirst.API/Program.cs b/DbFirst.API/Program.cs
index c9b5a30..bdfce03 100644
--- a/DbFirst.API/Program.cs
+++ b/DbFirst.API/Program.cs
@@ -5,7 +5,7 @@ using DbFirst.Infrastructure.Repositories;
 using Microsoft.EntityFrameworkCore;
 using DbFirst.API.Middleware;
 
-// TODO: create and add exception handling middleware - Done
+//TODO: create and add exception handling middleware
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -17,11 +17,21 @@ builder.Services.AddSwaggerGen();
 // TODO: allow listed origins configured in appsettings.json
 builder.Services.AddCors(options =>
 {
+    var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
     options.AddDefaultPolicy(policy =>
     {
-        policy.AllowAnyOrigin()
-              .AllowAnyHeader()
-              .AllowAnyMethod();
+        if (origins.Length > 0)
+        {
+            policy.WithOrigins(origins)
+                  .AllowAnyHeader()
+                  .AllowAnyMethod();
+        }
+        else
+        {
+            policy.AllowAnyOrigin()
+                  .AllowAnyHeader()
+                  .AllowAnyMethod();
+        }
     });
 });
 
diff --git a/DbFirst.API/appsettings.json b/DbFirst.API/appsettings.json
index 7561326..c0ba046 100644
--- a/DbFirst.API/appsettings.json
+++ b/DbFirst.API/appsettings.json
@@ -2,6 +2,12 @@
   "ConnectionStrings": {
     "DefaultConnection": "Server=SDD-VMP04-SQL17\\DD_DEVELOP01;Database=DD_ECM;User Id=sa;Password=dd;TrustServerCertificate=True;"
   },
+  "Cors": {
+    "AllowedOrigins": [
+      "https://localhost:7276",
+      "http://localhost:5101"
+    ]
+  },
   "Logging": {
     "LogLevel": {
       "Default": "Information",