diff --git a/smoothschedule/config/settings/base.py b/smoothschedule/config/settings/base.py
index 2b6ad97..ec62acd 100644
--- a/smoothschedule/config/settings/base.py
+++ b/smoothschedule/config/settings/base.py
@@ -317,6 +317,9 @@ CORS_URLS_REGEX = r"^/(api|auth)/.*$"
 from corsheaders.defaults import default_headers
 
 # CORS allowed origins (configurable via environment variables)
+# WARNING: CORS_ALLOW_ALL_ORIGINS should only be used for testing!
+CORS_ALLOW_ALL_ORIGINS = env.bool("DJANGO_CORS_ALLOW_ALL_ORIGINS", default=False)
+
 # For development: set in .env as comma-separated values
 # For production: set DJANGO_CORS_ALLOWED_ORIGINS env var
 CORS_ALLOWED_ORIGINS = env.list(
diff --git a/smoothschedule/config/settings/multitenancy.py b/smoothschedule/config/settings/multitenancy.py
index 6713dba..c0c2967 100644
--- a/smoothschedule/config/settings/multitenancy.py
+++ b/smoothschedule/config/settings/multitenancy.py
@@ -88,13 +88,15 @@ DATABASE_ROUTERS = [
 # CRITICAL: Order matters!
 
 MIDDLEWARE = [
-    # 1. MUST BE FIRST: Tenant resolution
+    # 0. CORS must be first to set headers before tenant resolution
+    'corsheaders.middleware.CorsMiddleware',
+
+    # 1. Tenant resolution
     'django_tenants.middleware.main.TenantMainMiddleware',
 
     # 2. Security middleware
     'django.middleware.security.SecurityMiddleware',
     'csp.middleware.CSPMiddleware',
-    'corsheaders.middleware.CorsMiddleware',  # Moved up for better CORS handling
     'whitenoise.middleware.WhiteNoiseMiddleware',
 
     # 3. Session & CSRF