diff --git a/.env.sample b/.env.sample
index 4789ad6..447ef21 100644
--- a/.env.sample
+++ b/.env.sample
@@ -242,7 +242,11 @@ SESSION_COOKIE_NAME="directus_session_token"
 CORS_ENABLED=true
 
 # Value for the Access-Control-Allow-Origin header. Use true to match the Origin header, or provide a domain or a CSV of domains for specific access [false]
-CORS_ORIGIN=true
+# NE PAS utiliser true en production — lister explicitement les origines autorisées
+# Dev local :
+# CORS_ORIGIN=http://localhost:3000
+# Production :
+CORS_ORIGIN=https://konstitisyon.nu
 
 # Value for the Access-Control-Allow-Methods header [GET,POST,PATCH,DELETE]
 CORS_METHODS=GET,POST,PATCH,DELETE