diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index b399dfb..548b637 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -55,6 +55,7 @@ jobs:
           service: ${{ env.SERVICE_NAME }}
           region: ${{ env.REGION }}
           image: ${{ env.IMAGE_TAG }}
+          flags: '--allow-unauthenticated'
           env_vars: |-
             OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
             SUPABASE_URL=${{ secrets.SUPABASE_URL }}
diff --git a/backend/Dockerfile b/backend/Dockerfile
index 23a00e1..3ef6ea0 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -41,4 +41,4 @@ EXPOSE 8080
 
 # Command to run the application using the PORT environment variable with exec form
 # We use exec to ensure uvicorn becomes the PID 1 process and handles termination signals properly
-CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-8080} --proxy-headers --forwarded-allow-ips='*'"]
+CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-8080} --proxy-headers --forwarded-allow-ips='130.211.0.0/22,35.191.0.0/16'"]
diff --git a/backend/app/api/routes/chat.py b/backend/app/api/routes/chat.py
index 0e6e115..c02aa0d 100644
--- a/backend/app/api/routes/chat.py
+++ b/backend/app/api/routes/chat.py
@@ -174,6 +174,7 @@ async def generate_chat_events(request: Request, query: str, history: List[Histo
         return
 
 @router.post("")
+@limiter.limit("5/minute")
 async def chat_endpoint(request: Request, chat_request: ChatRequest):
     """
     Endpoint for accepting chat queries and returning a text/event-stream response.
@@ -181,6 +182,7 @@ async def chat_endpoint(request: Request, chat_request: ChatRequest):
     return EventSourceResponse(generate_chat_events(request, chat_request.query, chat_request.history))
 
 @router.post("/title")
+@limiter.limit("10/minute")
 async def chat_title_endpoint(request: Request, title_request: TitleRequest):
     """
     Endpoint for generating a short chat room title based on the first user query.
diff --git a/backend/app/main.py b/backend/app/main.py
index 7dc81f5..6cde83d 100644
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -70,8 +70,12 @@ def _on_preload_done(task: asyncio.Task):
 # Configure CORS
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
-    allow_credentials=False,
+    allow_origins=[
+        "http://localhost:3000",
+        "https://philo-rag.web.app",
+        "https://philo-rag.firebaseapp.com"
+    ],
+    allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
 )