diff --git a/backend/app/main.py b/backend/app/main.py
index 47f10349..8aa8a249 100644
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -42,20 +42,13 @@ app = FastAPI(
 app.add_middleware(ErrorLoggingMiddleware)
 app.add_middleware(RequestLoggingMiddleware)
 
-# Configure CORS with dynamic origin checking for Railway PR environments
-def get_allowed_origins():
-    """Return origins list or callable for dynamic checking."""
-    if settings.ALLOW_RAILWAY_ORIGINS:
-        # Use callable to dynamically check Railway origins
-        def check_origin(origin: str) -> bool:
-            return settings.is_origin_allowed(origin)
-        return check_origin
-    return settings.allowed_origins
-
+# Configure CORS
 # Note: When ALLOW_RAILWAY_ORIGINS is True, we use allow_origin_regex for Railway domains
+# PLUS the explicit allowed_origins list (for custom domains like app.patherly.com)
 if settings.ALLOW_RAILWAY_ORIGINS:
     app.add_middleware(
         CORSMiddleware,
+        allow_origins=settings.allowed_origins,
         allow_origin_regex=r"https://.*\.up\.railway\.app",
         allow_credentials=True,
         allow_methods=["*"],
@@ -95,6 +88,7 @@ async def debug_cors():
     """Debug endpoint to check CORS configuration."""
     return {
         "allow_railway_origins": settings.ALLOW_RAILWAY_ORIGINS,
-        "cors_mode": "regex" if settings.ALLOW_RAILWAY_ORIGINS else "list",
-        "allowed_origins": settings.allowed_origins if not settings.ALLOW_RAILWAY_ORIGINS else "*.up.railway.app (regex)"
+        "cors_mode": "regex + list" if settings.ALLOW_RAILWAY_ORIGINS else "list",
+        "allowed_origins": settings.allowed_origins,
+        "railway_regex": r"https://.*\.up\.railway\.app" if settings.ALLOW_RAILWAY_ORIGINS else None
     }