diff --git a/src/index.ts b/src/index.ts
index dfbafdf..7eec571 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -21,11 +21,31 @@ const PORT = parseInt(process.env.PORT || "3100", 10);
 loadKeys();
 
 app.use(helmet());
+
+// CORS — allow browser requests from the landing page
+app.use((req, res, next) => {
+  const origin = req.headers.origin;
+  const allowed = ["https://docfast.dev", "http://localhost:3100"];
+  if (origin && allowed.includes(origin)) {
+    res.setHeader("Access-Control-Allow-Origin", origin);
+  }
+  res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-API-Key");
+  res.setHeader("Access-Control-Max-Age", "86400");
+  if (req.method === "OPTIONS") {
+    res.status(204).end();
+    return;
+  }
+  next();
+});
 // Raw body for Stripe webhook signature verification
 app.use("/v1/billing/webhook", express.raw({ type: "application/json" }));
 app.use(express.json({ limit: "2mb" }));
 app.use(express.text({ limit: "2mb", type: "text/*" }));
 
+// Trust nginx proxy
+app.set("trust proxy", 1);
+
 // Rate limiting
 const limiter = rateLimit({
   windowMs: 60_000,