diff --git a/backend/server/demo/settings.py b/backend/server/demo/settings.py
index bf774a7..c026b92 100644
--- a/backend/server/demo/settings.py
+++ b/backend/server/demo/settings.py
@@ -188,6 +188,17 @@ SWAGGER_SETTINGS = {
 
 
 # For demo purposes only. Use a white list in the real world.
-CORS_ORIGIN_ALLOW_ALL = True
+CORS_ORIGIN_ALLOW_ALL = False
+
+CORS_ALLOWED_ORIGINS = [
+    'http://localhost:3000',
+    'http://adventurelog.app',
+    'https://api.adventurelog.app',
+]
+
+CSRF_TRUSTED_ORIGINS = [
+    'https://api.adventurelog.app',
+    'https://adventurelog.app',
+]
 
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'