diff --git a/smoothschedule/config/settings/base.py b/smoothschedule/config/settings/base.py
index e0dbbde..f25ded1 100644
--- a/smoothschedule/config/settings/base.py
+++ b/smoothschedule/config/settings/base.py
@@ -315,6 +315,49 @@ REST_FRAMEWORK = {
 
 # django-cors-headers - https://github.com/adamchainz/django-cors-headers#setup
 CORS_URLS_REGEX = r"^/(api|auth)/.*$"
+from corsheaders.defaults import default_headers
+
+# CORS allowed origins (configurable via environment variables)
+# For development: set in .env as comma-separated values
+# For production: set DJANGO_CORS_ALLOWED_ORIGINS env var
+CORS_ALLOWED_ORIGINS = env.list(
+    "DJANGO_CORS_ALLOWED_ORIGINS",
+    default=[
+        "http://localhost:3000",
+        "http://localhost:5173",
+        "http://127.0.0.1:5173",
+    ],
+)
+
+# CORS allowed origin regexes (for wildcard subdomains, etc.)
+# Production: configure via DJANGO_CORS_ALLOWED_ORIGIN_REGEXES
+_cors_regexes = env(
+    "DJANGO_CORS_ALLOWED_ORIGIN_REGEXES",
+    default="",
+)
+CORS_ALLOWED_ORIGIN_REGEXES = [
+    regex.strip() for regex in _cors_regexes.split(",") if regex.strip()
+]
+
+CORS_ALLOW_CREDENTIALS = True
+CORS_ALLOW_HEADERS = list(default_headers) + [
+    "x-business-subdomain",
+    "x-sandbox-mode",
+]
+
+# CSRF Trusted Origins - configurable via environment variables
+# For local development, typically includes lvh.me subdomains
+# For production, should include your domain and wildcard subdomains
+CSRF_TRUSTED_ORIGINS = env.list(
+    "DJANGO_CSRF_TRUSTED_ORIGINS",
+    default=[
+        "http://localhost:5173",
+        "http://127.0.0.1:5173",
+        "http://lvh.me:5173",
+        "http://*.lvh.me:5173",
+        "http://*.lvh.me:5174",
+    ],
+)
 
 # By Default swagger ui is available only to admin user(s). You can change permission classes to change that
 # See more configuration options at https://drf-spectacular.readthedocs.io/en/latest/settings.html#settings
diff --git a/smoothschedule/config/settings/local.py b/smoothschedule/config/settings/local.py
index 5021960..f3116b4 100644
--- a/smoothschedule/config/settings/local.py
+++ b/smoothschedule/config/settings/local.py
@@ -55,39 +55,8 @@ SECRET_KEY = env(
 # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
 ALLOWED_HOSTS = ["localhost", "0.0.0.0", "127.0.0.1", ".lvh.me", "lvh.me"]  # noqa: S104
 
-from corsheaders.defaults import default_headers
-
-# django-cors-headers
-# ------------------------------------------------------------------------------
-# https://github.com/adamchainz/django-cors-headers#configuration
-# When using credentials, we can't use CORS_ALLOW_ALL_ORIGINS
-# Must specify allowed origins explicitly
-CORS_ALLOWED_ORIGINS = [
-    "http://lvh.me:5173",
-    "http://lvh.me:5174",
-    "http://platform.lvh.me:5173",
-    "http://platform.lvh.me:5174",
-]
-CORS_ALLOWED_ORIGIN_REGEXES = [
-    r"^http://.*\.lvh\.me:517[34]$",  # Allow all subdomains on ports 5173/5174
-]
-CORS_ALLOW_CREDENTIALS = True
-CORS_ALLOW_HEADERS = list(default_headers) + [
-    "x-business-subdomain",
-    "x-sandbox-mode",
-]
-
-# CSRF
-# ------------------------------------------------------------------------------
-# https://docs.djangoproject.com/en/dev/ref/settings/#csrf-trusted-origins
-CSRF_TRUSTED_ORIGINS = [
-    "http://lvh.me:5173",
-    "http://lvh.me:5174",
-    "http://platform.lvh.me:5173",
-    "http://platform.lvh.me:5174",
-    "http://*.lvh.me:5173",
-    "http://*.lvh.me:5174",
-]
+# CORS and CSRF are configured in base.py with environment variable overrides
+# Local development uses the .env file to set DJANGO_CORS_ALLOWED_ORIGINS
 
 # CACHES
 # ------------------------------------------------------------------------------
diff --git a/smoothschedule/config/settings/production.py b/smoothschedule/config/settings/production.py
index 8017f52..94c6430 100644
--- a/smoothschedule/config/settings/production.py
+++ b/smoothschedule/config/settings/production.py
@@ -67,43 +67,6 @@ SECURE_CONTENT_TYPE_NOSNIFF = env.bool(
     default=True,
 )
 
-# CORS
-# -------------------------------------------------------------------------------
-# django-cors-headers - https://github.com/adamchainz/django-cors-headers#setup
-# Configure allowed origins via environment variables for production
-from corsheaders.defaults import default_headers
-
-# Get CORS allowed origins from environment variable (comma-separated)
-# Example: DJANGO_CORS_ALLOWED_ORIGINS=https://example.com,https://app.example.com
-_cors_origins_str = env(
-    "DJANGO_CORS_ALLOWED_ORIGINS",
-    default=f"https://*.{env('DJANGO_DOMAIN_NAME', default='smoothschedule.com')}",
-)
-CORS_ALLOWED_ORIGINS = [origin.strip() for origin in _cors_origins_str.split(",") if origin.strip()]
-
-# Allow regex patterns for dynamic subdomains
-# Example: https://demo.smoothschedule.com, https://acme.smoothschedule.com, etc.
-CORS_ALLOWED_ORIGIN_REGEXES = [
-    rf"^https://.*\.{env('DJANGO_DOMAIN_NAME', default='smoothschedule.com')}$",
-]
-
-CORS_ALLOW_CREDENTIALS = True
-CORS_ALLOW_HEADERS = list(default_headers) + [
-    "x-business-subdomain",
-    "x-sandbox-mode",
-]
-
-# CSRF
-# -------------------------------------------------------------------------------
-CSRF_TRUSTED_ORIGINS = env.list(
-    "DJANGO_CSRF_TRUSTED_ORIGINS",
-    default=[
-        f"https://smoothschedule.com",
-        f"https://*.smoothschedule.com",
-    ],
-)
-
-
 # STATIC & MEDIA
 # ------------------------
 # S3-compatible storage (AWS S3 or DigitalOcean Spaces)