diff --git a/server.js b/server.js
index bd5400d..7ac4a17 100644
--- a/server.js
+++ b/server.js
@@ -19,10 +19,12 @@ const PORT = 5577;
 
 // 미들웨어 설정
 app.use(cors({
-    origin: function (origin, callback) {
-        // 모든 origin 허용 (개발/운영 환경 모두)
-        callback(null, true);
-    },
+    origin: [
+        'http://localhost:5577',
+        'http://127.0.0.1:5577',
+        'http://39.117.244.52:5577',
+        'https://39.117.244.52:5577'
+    ],
     credentials: true,
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
     allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key', 'X-Requested-With'],
@@ -33,7 +35,20 @@ app.use(bodyParser.urlencoded({ extended: true, limit: '50mb' }));
 
 // OPTIONS 요청 처리 (CORS preflight)
 app.options('*', (req, res) => {
-    res.header('Access-Control-Allow-Origin', '*');
+    const origin = req.headers.origin;
+    const allowedOrigins = [
+        'http://localhost:5577',
+        'http://127.0.0.1:5577', 
+        'http://39.117.244.52:5577',
+        'https://39.117.244.52:5577'
+    ];
+    
+    if (allowedOrigins.includes(origin)) {
+        res.header('Access-Control-Allow-Origin', origin);
+    } else {
+        res.header('Access-Control-Allow-Origin', 'http://39.117.244.52:5577');
+    }
+    
     res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
     res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-Key, X-Requested-With');
     res.header('Access-Control-Allow-Credentials', 'true');