diff --git a/knockoutwhistweb/conf/application.conf b/knockoutwhistweb/conf/application.conf
index 6ecdc7e..3d41095 100644
--- a/knockoutwhistweb/conf/application.conf
+++ b/knockoutwhistweb/conf/application.conf
@@ -14,14 +14,10 @@ auth {
   publicKeyPem  = ${?PUBLIC_KEY_PEM}
 }
 
-play.http.context="/api"
-
-play.modules.enabled += "modules.GatewayModule"
-
 play.filters.enabled += "play.filters.cors.CORSFilter"
 
 play.filters.cors {
-  allowedOrigins = ["http://localhost:5173", "http://localhost:3000", "http://localhost:8081"]
+  allowedOrigins = ["http://localhost:5173"]
   allowedCredentials = true
   allowedHttpMethods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
   allowedHttpHeaders = ["Accept", "Content-Type", "Origin", "X-Requested-With"]
diff --git a/knockoutwhistweb/conf/prod.conf b/knockoutwhistweb/conf/prod.conf
new file mode 100644
index 0000000..bec057c
--- /dev/null
+++ b/knockoutwhistweb/conf/prod.conf
@@ -0,0 +1,14 @@
+include "application.conf"
+
+play.http.secret.key="zg8^v0R*:7-m.>^8T2B1q)sE3MV_9=M{K9zx8,<3}"
+
+play.http.context="/api"
+
+play.modules.enabled += "modules.GatewayModule"
+
+play.filters.cors {
+  allowedOrigins = ["https://knockout.janis-eccarius.de"]
+  allowedCredentials = true
+  allowedHttpMethods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
+  allowedHttpHeaders = ["Accept", "Content-Type", "Origin", "X-Requested-With"]
+}
\ No newline at end of file