diff --git a/server/index.js b/server/index.js
index e25bdeb..ad126e7 100644
--- a/server/index.js
+++ b/server/index.js
@@ -37,8 +37,8 @@ class Server {
         /* Site */
         router.post('/free', this.newUserSubmission)
         router.get('/db/images/*', this.getUserImage)
-        router.get('/app/orgdata/*', this.getOrgData)
-        router.get('/app/mydata/*', this.getPersonalData)
+        router.get('/api/orgdata/*', this.getOrgData)
+        router.get('/api/mydata/*', this.getPersonalData)
         router.get('/*', this.get)
         return router
     }
@@ -225,7 +225,30 @@ class Server {
         this.auth = new AuthHandler()
         const app = express();
         app.post("/webhook", express.raw({ type: "application/json" }), PaymentsHandler.webhook)
-        app.use(cors({ origin: '*' }));
+        const allowedOrigins = new Set([
+            "https://www.parchment.page",
+            "https://parchment.page",
+            "http://localhost:5174",
+            "http://sam.local:5174",
+            "http://localhost:5173",
+            "http://sam.local:5173",
+            "http://localhost:10002",
+            "http://sam.local:10002",
+            "capacitor://localhost",
+            "http://localhost"
+        ]);
+        app.use(cors({
+            origin(origin, cb) {
+                if (!origin) return cb(null, true); // native / curl
+
+                if (allowedOrigins.has(origin)) {
+                return cb(null, true);
+                }
+
+                return cb(new Error("Blocked by CORS"));
+            },
+            credentials: true
+        }));
         app.use(express.json());
         app.use(express.urlencoded({ extended: true }));
         app.use(cookieParser());
diff --git a/ui/desktop/index.js b/ui/desktop/index.js
index ddcb0dc..6d7b0f9 100644
--- a/ui/desktop/index.js
+++ b/ui/desktop/index.js
@@ -22,7 +22,7 @@ let Global = class {
 
     async fetchAppData() {
         let personalSpace = this.currentNetwork === this.profile
-        let appData = await fetch(`/app/${personalSpace ? "my" : "org"}data/` + this.currentNetwork.id, {method: "GET"})
+        let appData = await fetch(`/api/${personalSpace ? "my" : "org"}data/` + this.currentNetwork.id, {method: "GET"})
         let json = await appData.json()
         return json
     }
diff --git a/ui/mobile/index.js b/ui/mobile/index.js
index 957e2f2..7242bbc 100644
--- a/ui/mobile/index.js
+++ b/ui/mobile/index.js
@@ -21,7 +21,7 @@ async function openNetworkAndApp() {
     }
 
     if(!global.currentNetwork.data) {
-        let appData = await fetch("/app/orgdata/" + global.profile.networks[0].id, {method: "GET"})
+        let appData = await fetch("/api/orgdata/" + global.profile.networks[0].id, {method: "GET"})
         let json = await appData.json()
         global.currentNetwork.data = json
     }