diff --git a/templates/types/simple/express/index.ts b/templates/types/simple/express/index.ts
index 90e67278de93c1189341e432776d29f03108319b..daf5d8b6e82599243a1becc1d8e85c0de769e9dd 100644
--- a/templates/types/simple/express/index.ts
+++ b/templates/types/simple/express/index.ts
@@ -8,9 +8,21 @@ const port = 8000;
 
 const env = process.env["NODE_ENV"];
 const isDevelopment = !env || env === "development";
+const prodCorsOrigin = process.env["PROD_CORS_ORIGIN"];
+
 if (isDevelopment) {
   console.warn("Running in development mode - allowing CORS for all origins");
   app.use(cors());
+} else if (prodCorsOrigin) {
+  console.log(
+    `Running in production mode - allowing CORS for domain: ${prodCorsOrigin}`,
+  );
+  const corsOptions = {
+    origin: prodCorsOrigin, // Restrict to production domain
+  };
+  app.use(cors(corsOptions));
+} else {
+  console.warn("Production CORS origin not set, defaulting to no CORS.");
 }
 
 app.use(express.text());
diff --git a/templates/types/streaming/express/index.ts b/templates/types/streaming/express/index.ts
index 90e67278de93c1189341e432776d29f03108319b..daf5d8b6e82599243a1becc1d8e85c0de769e9dd 100644
--- a/templates/types/streaming/express/index.ts
+++ b/templates/types/streaming/express/index.ts
@@ -8,9 +8,21 @@ const port = 8000;
 
 const env = process.env["NODE_ENV"];
 const isDevelopment = !env || env === "development";
+const prodCorsOrigin = process.env["PROD_CORS_ORIGIN"];
+
 if (isDevelopment) {
   console.warn("Running in development mode - allowing CORS for all origins");
   app.use(cors());
+} else if (prodCorsOrigin) {
+  console.log(
+    `Running in production mode - allowing CORS for domain: ${prodCorsOrigin}`,
+  );
+  const corsOptions = {
+    origin: prodCorsOrigin, // Restrict to production domain
+  };
+  app.use(cors(corsOptions));
+} else {
+  console.warn("Production CORS origin not set, defaulting to no CORS.");
 }
 
 app.use(express.text());