diff --git a/Procfile b/Procfile
new file mode 100644
index 0000000..30a8aa1
--- /dev/null
+++ b/Procfile
@@ -0,0 +1,2 @@
+web: /app/api
+worker: /app/worker
diff --git a/internal/router/router.go b/internal/router/router.go
index 525261f..2141b38 100644
--- a/internal/router/router.go
+++ b/internal/router/router.go
@@ -124,11 +124,35 @@ func corsMiddleware(cfg *config.Config) gin.HandlerFunc {
 		MaxAge:           12 * time.Hour,
 	}
 
-	// In debug mode, allow all origins; otherwise use configured hosts
+	// In debug mode or if no proper origins configured, allow all origins
 	if cfg.Server.Debug {
 		corsConfig.AllowAllOrigins = true
 	} else {
-		corsConfig.AllowOrigins = cfg.Server.AllowedHosts
+		// Transform allowed hosts to proper origins with https://
+		var origins []string
+		for _, host := range cfg.Server.AllowedHosts {
+			host = strings.TrimSpace(host)
+			if host == "" {
+				continue
+			}
+			if host == "*" {
+				corsConfig.AllowAllOrigins = true
+				break
+			}
+			// If host doesn't have scheme, add https://
+			if !strings.HasPrefix(host, "http://") && !strings.HasPrefix(host, "https://") {
+				origins = append(origins, "https://"+host)
+				origins = append(origins, "http://"+host) // Also allow http for dev
+			} else {
+				origins = append(origins, host)
+			}
+		}
+		if !corsConfig.AllowAllOrigins && len(origins) > 0 {
+			corsConfig.AllowOrigins = origins
+		} else if !corsConfig.AllowAllOrigins {
+			// Fallback to allow all if no valid origins
+			corsConfig.AllowAllOrigins = true
+		}
 	}
 
 	return cors.New(corsConfig)