diff --git a/workflow/packages/backend/api/src/app/app.ts b/workflow/packages/backend/api/src/app/app.ts
index bba25407..7a020c42 100644
--- a/workflow/packages/backend/api/src/app/app.ts
+++ b/workflow/packages/backend/api/src/app/app.ts
@@ -165,7 +165,18 @@ export const setupApp = async (app: FastifyInstance): Promise<FastifyInstance> =
 
     await app.register(fastifySocketIO, {
         cors: {
-            origin: '*',
+            // SECURITY FIX: Restrict WebSocket connections to trusted domains only
+            origin: [
+                'https://app.aixblock.io',
+                'https://workflow.aixblock.io',
+                'https://localhost:3000', // Development environment
+                'http://localhost:3000',  // Development environment
+                'https://127.0.0.1:3000', // Local development
+                'http://127.0.0.1:3000'   // Local development
+            ],
+            credentials: true,
+            methods: ['GET', 'POST'],
+            allowedHeaders: ['Authorization', 'Content-Type']
         },
         ...spreadIfDefined('adapter', await getAdapter()),
         transports: ['websocket'],