diff --git a/smoothschedule/config/settings/production.py b/smoothschedule/config/settings/production.py
index e68234a..8017f52 100644
--- a/smoothschedule/config/settings/production.py
+++ b/smoothschedule/config/settings/production.py
@@ -67,6 +67,42 @@ SECURE_CONTENT_TYPE_NOSNIFF = env.bool(
     default=True,
 )
 
+# CORS
+# -------------------------------------------------------------------------------
+# django-cors-headers - https://github.com/adamchainz/django-cors-headers#setup
+# Configure allowed origins via environment variables for production
+from corsheaders.defaults import default_headers
+
+# Get CORS allowed origins from environment variable (comma-separated)
+# Example: DJANGO_CORS_ALLOWED_ORIGINS=https://example.com,https://app.example.com
+_cors_origins_str = env(
+    "DJANGO_CORS_ALLOWED_ORIGINS",
+    default=f"https://*.{env('DJANGO_DOMAIN_NAME', default='smoothschedule.com')}",
+)
+CORS_ALLOWED_ORIGINS = [origin.strip() for origin in _cors_origins_str.split(",") if origin.strip()]
+
+# Allow regex patterns for dynamic subdomains
+# Example: https://demo.smoothschedule.com, https://acme.smoothschedule.com, etc.
+CORS_ALLOWED_ORIGIN_REGEXES = [
+    rf"^https://.*\.{env('DJANGO_DOMAIN_NAME', default='smoothschedule.com')}$",
+]
+
+CORS_ALLOW_CREDENTIALS = True
+CORS_ALLOW_HEADERS = list(default_headers) + [
+    "x-business-subdomain",
+    "x-sandbox-mode",
+]
+
+# CSRF
+# -------------------------------------------------------------------------------
+CSRF_TRUSTED_ORIGINS = env.list(
+    "DJANGO_CSRF_TRUSTED_ORIGINS",
+    default=[
+        f"https://smoothschedule.com",
+        f"https://*.smoothschedule.com",
+    ],
+)
+
 
 # STATIC & MEDIA
 # ------------------------