diff --git a/test-backend/app.ts b/test-backend/app.ts
index a8322f9..652aed9 100644
--- a/test-backend/app.ts
+++ b/test-backend/app.ts
@@ -22,7 +22,7 @@ function createApp(): Express {
   // Restrict CORS to the predefined frontend URL
   app.use(
     cors({
-      origin: FRONTEND_URL,
+      // origin: FRONTEND_URL,
     })
   )
   app.use(express.json())
@@ -33,32 +33,32 @@ function createApp(): Express {
     if (!origin) {
       return res.status(403).json({ error: "Missing Origin header" })
     }
-    if (origin !== FRONTEND_URL) {
-      return res.status(403).json({ error: "Forbidden origin" })
-    }
+    // if (origin !== FRONTEND_URL) {
+    //   return res.status(403).json({ error: "Forbidden origin" })
+    // }
     next()
   })
 
   // Per-request CSP nonce and header. Also expose nonce via X-CSP-Nonce so the frontend
   // can apply it to inline scripts/styles when needed.
-  app.use((req, res, next) => {
-    const nonce = randomBytes(16).toString("base64")
+  // app.use((req, res, next) => {
+  //   const nonce = randomBytes(16).toString("base64")
 
-    const csp = [
-      `default-src 'self' ${FRONTEND_URL}`,
-      `connect-src 'self' ${FRONTEND_URL}`,
-      `img-src 'self' data: ${FRONTEND_URL}`,
-      `script-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
-      `style-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
-    ].join("; ")
+  //   const csp = [
+  //     `default-src 'self' ${FRONTEND_URL}`,
+  //     `connect-src 'self' ${FRONTEND_URL}`,
+  //     `img-src 'self' data: ${FRONTEND_URL}`,
+  //     `script-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
+  //     `style-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
+  //   ].join("; ")
 
-    res.setHeader("Content-Security-Policy", csp)
-    // Expose nonce so frontend templates can use it for inline scripts/styles
-    res.setHeader("X-CSP-Nonce", nonce)
-    // Vary on Origin so caches consider the Origin header when caching responses
-    res.setHeader("Vary", "Origin")
-    next()
-  })
+  //   res.setHeader("Content-Security-Policy", csp)
+  //   // Expose nonce so frontend templates can use it for inline scripts/styles
+  //   res.setHeader("X-CSP-Nonce", nonce)
+  //   // Vary on Origin so caches consider the Origin header when caching responses
+  //   res.setHeader("Vary", "Origin")
+  //   next()
+  // })
 
   return app
 }