diff --git a/src/app.js b/src/app.js
index f19f09f..eed9592 100644
--- a/src/app.js
+++ b/src/app.js
@@ -63,12 +63,9 @@ app.use(
 const isProduction = process.env.NODE_ENV === 'production';
 const corsOptions = {
   origin: (origin, callback) => {
-    // Requests with no origin (curl, Postman, server-to-server)
-    // Only allow in development - in production this is a CORS bypass vector
+    // Requests with no origin (direct browser navigation, file downloads)
+    // Allow in production too - auth is handled by JWT/cookies on protected routes
     if (!origin) {
-      if (isProduction) {
-        return callback(new Error('Not allowed by CORS'));
-      }
       return callback(null, true);
     }