diff --git a/backend/fly.toml b/backend/fly.toml
index 9d57e39..816e982 100644
--- a/backend/fly.toml
+++ b/backend/fly.toml
@@ -14,7 +14,7 @@ primary_region = "ams"
   GIT_WORKSPACE_DIR = "/app/data/workspace"
   # Cross-site frontend and OAuth
   FRONTEND_URL = "https://gallus-pub.ch"
-  CORS_ORIGIN = "https://gallus-pub.ch"
+  CORS_ORIGIN = "https://gallus-pub.ch,https://www.gallus-pub.ch"
   GITEA_REDIRECT_URI = "https://cms.gallus-pub.ch/api/auth/callback"
 
 [http_service]
diff --git a/backend/src/index.ts b/backend/src/index.ts
index f709cf2..b64ea83 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -40,8 +40,23 @@ const fastify = Fastify({
 });
 
 // Register plugins
+// Support multiple origins for CORS
+const allowedOrigins = env.CORS_ORIGIN.split(',').map(o => o.trim());
 fastify.register(cors, {
-  origin: env.CORS_ORIGIN,
+  origin: (origin, cb) => {
+    // Allow requests with no origin (like mobile apps or curl)
+    if (!origin) {
+      cb(null, true);
+      return;
+    }
+
+    // Check if origin is in allowed list
+    if (allowedOrigins.some(allowed => origin === allowed || origin.endsWith(allowed))) {
+      cb(null, true);
+    } else {
+      cb(new Error('Not allowed by CORS'), false);
+    }
+  },
   credentials: true,
 });