diff --git a/.env.example b/.env.example
index ad870bb..45d43fa 100644
--- a/.env.example
+++ b/.env.example
@@ -2,3 +2,5 @@ VITE_NODE_ENV=demo
 
 # FE-main host URL used by federation to load feMain/api
 VITE_FE_MAIN_MF=http://localhost:5173
+
+VITE_ALLOWED_ORIGINS=https://localhost:5173,https://127.0.0.1:5173,https://98tools.com,https://*.98tools.com
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 5f7c917..39b239e 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -1,4 +1,4 @@
-name: (main) [fe+mf] Deploy to Cloudflare Workers
+name: (dev) [fe+mf] Deploy to Cloudflare Workers
 
 on:
   push:
@@ -30,6 +30,7 @@ jobs:
         env:
           VITE_FE_MAIN_MF: ${{ vars.VITE_FE_MAIN_MF }}
           VITE_NODE_ENV: ${{ vars.VITE_NODE_ENV }}
+          VITE_ALLOWED_ORIGINS: ${{ vars.VITE_ALLOWED_ORIGINS }}
         run: npm run build
 
       - name: Deploy worker
diff --git a/public/_headers b/public/_headers
deleted file mode 100644
index ceb1579..0000000
--- a/public/_headers
+++ /dev/null
@@ -1,5 +0,0 @@
-/assets/*
-  Access-Control-Allow-Origin: *
-  Access-Control-Allow-Methods: GET, OPTIONS
-  Access-Control-Allow-Headers: *
-  Access-Control-Max-Age: 86400
diff --git a/vite.config.ts b/vite.config.ts
index 6a73432..dde832d 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -31,5 +31,57 @@ export default defineConfig(({ mode }) => {
       emptyOutDir: false,
       target: 'esnext',
     },
+    server: getServerConfig(env),
   };
 })
+
+function isOriginAllowed(origin: string, allowedOrigins: string[]): boolean {
+  return allowedOrigins.some(allowedOrigin => {
+    if (allowedOrigin.includes('*')) {
+      // Convert wildcard pattern to regex
+      // e.g., 'https://*.98.tools' -> /^https:\/\/.*\.98\.tools$/
+      const pattern = allowedOrigin
+        .replace(/\./g, '\\.')
+        .replace(/\*/g, '[a-zA-Z0-9-]*');
+      const regex = new RegExp(`^${pattern}$`);
+      return regex.test(origin);
+    } else {
+      // Exact match
+      return origin === allowedOrigin;
+    }
+  });
+}
+
+function getServerConfig(env: Record<string, string>): import('vite').ServerOptions | undefined {
+  // Parse allowed origins from environment variable
+  const allowedOriginsStr = env.VITE_ALLOWED_ORIGINS || '';
+  const allowedOrigins = allowedOriginsStr
+    .split(',')
+    .map(origin => origin.trim())
+    .filter(origin => origin.length > 0);
+
+  const serverConfig: import('vite').ServerOptions = {
+    host: true,
+    port: 5173,
+    middleware: [(req, res, next) => {
+      const origin = req.headers.origin || '';
+      
+      // Check if origin is allowed
+      if (allowedOrigins.length > 0 && isOriginAllowed(origin, allowedOrigins)) {
+        res.setHeader('Access-Control-Allow-Origin', origin);
+        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS, PATCH');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+        res.setHeader('Access-Control-Allow-Credentials', 'true');
+      }
+      
+      if (req.method === 'OPTIONS') {
+        res.writeHead(200);
+        res.end();
+      } else {
+        next();
+      }
+    }],
+  };
+
+  return serverConfig;
+}
\ No newline at end of file