diff --git a/app/cm_api.py b/app/cm_api.py
index 5c01e93..a9a24a6 100644
--- a/app/cm_api.py
+++ b/app/cm_api.py
@@ -1,7 +1,6 @@
 import os
 import threading
 from flask import Flask, jsonify, request
-from flask_cors import CORS
 from .db import DB
 
 
@@ -19,7 +18,12 @@ class CM_API:
     
     def __init__(self):
         self.app = Flask(__name__)
-        CORS(self.app)
+        # No CORS middleware: api-server is internal-only (no host port
+        # in prod compose, per C5). Browsers can't reach it directly,
+        # and server-side fetches from web-view / web-next don't trigger
+        # CORS. Removing flask_cors removes a permissive '*' origin
+        # default that becomes an attack surface if a host port is ever
+        # accidentally re-exposed.
         self._register_routes()
     
     def _get_database_connection(self):