diff --git a/docker-compose.yml b/docker-compose.yml
index 2a9f7f7..f45ba41 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,10 +21,14 @@ services:
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: admin
       # Make issuer consistent & reachable from other containers
-      KC_HOSTNAME: keycloak
+#      KC_HOSTNAME: keycloak
       KC_HTTP_ENABLED: "true"
       KC_HOSTNAME_STRICT: "false"
       KC_PROXY: edge
+      KC_HOSTNAME_URL: "http://localhost:8081/"
+      KC_HOSTNAME_ADMIN_URL: "http://localhost:8081/"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+
     ports:
       - "8081:8081"
     volumes:
diff --git a/src/main/java/se/urmo/hemhub/config/SecurityConfig.java b/src/main/java/se/urmo/hemhub/config/SecurityConfig.java
index ffe54dd..39dfd35 100644
--- a/src/main/java/se/urmo/hemhub/config/SecurityConfig.java
+++ b/src/main/java/se/urmo/hemhub/config/SecurityConfig.java
@@ -7,6 +7,11 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.List;
 
 @Configuration
 @EnableMethodSecurity
@@ -28,6 +33,23 @@ public class SecurityConfig {
         return http.build();
     }
 
+    @Bean
+    CorsConfigurationSource corsConfigurationSource() {
+        var config = new CorsConfiguration();
+        config.setAllowedOrigins(List.of(
+                "http://localhost:5173",          // dev-SPA
+                "https://rubble.se"               // prod-origin (SPA under /hemhub/app/)
+        ));
+        config.setAllowedMethods(List.of("GET","POST","PATCH","DELETE","OPTIONS"));
+        config.setAllowedHeaders(List.of("Authorization","Content-Type","Accept"));
+        config.setAllowCredentials(false); // vi använder Bearer, inte cookies
+        config.setMaxAge(3600L);
+
+        var source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+        return source;
+    }
+
     @Bean
     JwtAuthenticationConverter jwtConverter() {
         var converter = new JwtAuthenticationConverter();