diff --git a/backend/main.go b/backend/main.go
index 4716f7a..fcd701c 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -56,7 +56,7 @@ func main() {
 	app := handlers.NewApp(db, handlers.NewBroker())
 
 	// Create server
-	srv := NewServer(app, "0.0.0.0:7153", []string{"*"})
+	srv := NewServer(app, "0.0.0.0:7153", "*")
 
 	// Start background cleanup service
 	go handlers.StartDailyCleanup(app)
diff --git a/backend/server.go b/backend/server.go
index 49e73df..c89237b 100644
--- a/backend/server.go
+++ b/backend/server.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"net/http"
+	"strings"
 
 	"menu/handlers"
 
@@ -10,7 +11,7 @@ import (
 	"github.com/go-chi/cors"
 )
 
-func NewServer(app *handlers.App, address string, allowedOrigins []string) *http.Server {
+func NewServer(app *handlers.App, address string, allowedOrigins string) *http.Server {
 	r := chi.NewRouter()
 
 	// Middleware
@@ -18,7 +19,7 @@ func NewServer(app *handlers.App, address string, allowedOrigins []string) *http
 	r.Use(middleware.Recoverer)
 	r.Use(middleware.Logger)
 	r.Use(cors.Handler(cors.Options{
-		AllowedOrigins:   allowedOrigins,
+		AllowedOrigins:   makeAllowedOrigins(allowedOrigins),
 		AllowedMethods:   []string{"GET", "POST", "OPTIONS"},
 		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type"},
 		AllowCredentials: true,
@@ -72,3 +73,10 @@ func NewServer(app *handlers.App, address string, allowedOrigins []string) *http
 		Handler: r,
 	}
 }
+
+func makeAllowedOrigins(origins string) []string {
+	if origins == "" {
+		origins = "*"
+	}
+	return strings.Split(strings.TrimSpace(origins), ",")
+}