diff --git a/common/src/main/java/com/pfplaybackend/api/common/config/security/SecurityConfig.java b/common/src/main/java/com/pfplaybackend/api/common/config/security/SecurityConfig.java
index a8e0528a..6a60e4be 100644
--- a/common/src/main/java/com/pfplaybackend/api/common/config/security/SecurityConfig.java
+++ b/common/src/main/java/com/pfplaybackend/api/common/config/security/SecurityConfig.java
@@ -43,7 +43,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         .requestMatchers("/api/v1/admin/**").permitAll()  // Admin API - no auth required (temporary)
                         .requestMatchers("/api/**").authenticated()
                         .requestMatchers("/ws/**").permitAll()
-                        .requestMatchers("/spec/**").permitAll()
+                        .requestMatchers("/spec/**", "/swagger-ui/**", "/v3/api-docs/**").permitAll()
                         .anyRequest().denyAll()
                 )
                 .oauth2ResourceServer(oauth2 -> oauth2
@@ -61,11 +61,9 @@ public CorsConfigurationSource corsConfigurationSource() {
         configuration.setAllowedOrigins(List.of(
                 "https://localhost:3000",
                 "http://localhost:3000",
-                "http://localhost:4000",
                 "http://localhost:8080",
                 "http://admin.pfplay.xyz",
-                "https://pfplay.xyz",
-                "https://pfplay-api.app"));
+                "https://pfplay.xyz"));
         configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
         configuration.setAllowedHeaders(List.of("*"));
         configuration.setAllowCredentials(true);