diff --git a/src/main/java/com/bio/bio_backend/global/config/CorsConfig.java b/src/main/java/com/bio/bio_backend/global/config/CorsConfig.java
index 8642df5..c72f3a2 100644
--- a/src/main/java/com/bio/bio_backend/global/config/CorsConfig.java
+++ b/src/main/java/com/bio/bio_backend/global/config/CorsConfig.java
@@ -1,24 +1,55 @@
 package com.bio.bio_backend.global.config;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
 
+import java.util.Arrays;
+import java.util.List;
+
 @Configuration
 public class CorsConfig {
+    
+    @Value("${cors.allowed-origins:http://localhost:3000,http://localhost:8080}")
+    private String allowedOrigins;
+    
     @Bean
     public CorsFilter corsFilter() {
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         CorsConfiguration config = new CorsConfiguration();
-        config.addAllowedOriginPattern("*");
-        config.addAllowedHeader("*");
-        config.addAllowedMethod("*");
+        
+        // 허용할 Origin 설정
+        List<String> origins = Arrays.asList(allowedOrigins.split(","));
+        config.setAllowedOrigins(origins);
+        
+        // 허용할 헤더 설정
+        config.setAllowedHeaders(Arrays.asList(
+            "Authorization",
+            "Content-Type",
+            "X-Requested-With",
+            "Accept",
+            "Origin",
+            "Access-Control-Request-Method",
+            "Access-Control-Request-Headers"
+        ));
+        
+        // 허용할 HTTP 메서드 설정
+        config.setAllowedMethods(Arrays.asList(
+            "GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"
+        ));
+        
+        // 인증 정보 포함 허용 (JWT 토큰 등)
         config.setAllowCredentials(true);
+        
+        // Preflight 요청 캐시 시간 (초)
+        config.setMaxAge(3600L);
+        
+        // 모든 경로에 적용
         source.registerCorsConfiguration("/**", config);
 
         return new CorsFilter(source);
-
     }
 }
diff --git a/src/main/java/com/bio/bio_backend/global/security/WebSecurity.java b/src/main/java/com/bio/bio_backend/global/security/WebSecurity.java
index ae8e7c4..72afde6 100644
--- a/src/main/java/com/bio/bio_backend/global/security/WebSecurity.java
+++ b/src/main/java/com/bio/bio_backend/global/security/WebSecurity.java
@@ -2,6 +2,7 @@ package com.bio.bio_backend.global.security;
 
 import com.bio.bio_backend.global.filter.JwtTokenIssuanceFilter;
 import com.bio.bio_backend.global.filter.JwtTokenValidationFilter;
+import com.bio.bio_backend.global.config.CorsConfig;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
@@ -15,6 +16,7 @@ import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.filter.CorsFilter;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 
@@ -37,6 +39,12 @@ public class WebSecurity {
     private final ObjectMapper objectMapper;
     private final HttpUtils httpUtils;
     private final MemberMapper memberMapper;
+    private final CorsConfig corsConfig; // CorsConfig 주입
+
+    // CORS 필터 빈 가져오기
+    private CorsFilter getCorsFilter() {
+        return corsConfig.corsFilter();
+    }
 
     private JwtTokenIssuanceFilter getJwtTokenIssuanceFilter(AuthenticationManager authenticationManager) {
         JwtTokenIssuanceFilter filter = new JwtTokenIssuanceFilter(authenticationManager, jwtUtils, objectMapper, memberService, httpUtils, memberMapper);
@@ -86,6 +94,7 @@ public class WebSecurity {
             .sessionManagement(session -> 
                 session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
             );
+            //.addFilterBefore(getCorsFilter(), UsernamePasswordAuthenticationFilter.class);    // cors를 nginx 통해 처리 중
         return http.build();
     }
 
@@ -117,6 +126,7 @@ public class WebSecurity {
                 session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
             )
             .logout(AbstractHttpConfigurer::disable)
+            //.addFilterBefore(getCorsFilter(), UsernamePasswordAuthenticationFilter.class)     // cors를 nginx 통해 처리 중
             .addFilterBefore(getJwtTokenIssuanceFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class)  // 토큰 발급
             .addFilterBefore(getJwtTokenValidationFilter(), UsernamePasswordAuthenticationFilter.class);  // 토큰 검증