diff --git a/README.md b/README.md
index 46105b8..12d60dc 100644
--- a/README.md
+++ b/README.md
@@ -148,7 +148,11 @@ ALGORITHM=HS256
 ACCESS_TOKEN_EXPIRE_MINUTES=30
 REFRESH_TOKEN_EXPIRE_DAYS=30
 
-# Your host IP or domain (no trailing slash)
+# Comma-separated list of allowed origins (no trailing slash)
+# IMPORTANT: Add every domain/IP you access the app from.
+# If you use a reverse proxy (e.g. Nginx Proxy Manager) with a custom domain,
+# you MUST add that domain here or API requests will be blocked by the browser.
+# Example: CORS_ORIGINS=http://localhost:8054,https://homeschool.example.com
 CORS_ORIGINS=http://localhost:8054
 
 # Super admin credentials (for /super-admin)
@@ -319,7 +323,7 @@ The TV dashboard connects to `ws://host/ws/{child_id}` and receives JSON events:
 | `ALGORITHM` | No | JWT algorithm (default: `HS256`) |
 | `ACCESS_TOKEN_EXPIRE_MINUTES` | No | Access token lifetime (default: `30`) |
 | `REFRESH_TOKEN_EXPIRE_DAYS` | No | Refresh token lifetime (default: `30`) |
-| `CORS_ORIGINS` | No | Comma-separated allowed origins (default: `http://localhost:8054`) |
+| `CORS_ORIGINS` | No | Comma-separated allowed origins (default: `http://localhost:8054`). **Add every domain you access the app from**, including any custom domain behind a reverse proxy (e.g. `http://localhost:8054,https://homeschool.example.com`). Missing an origin causes API requests to be silently blocked by the browser. |
 | `ADMIN_USERNAME` | No | Super admin login username (default: `admin`) |
 | `ADMIN_PASSWORD` | No | Super admin login password (default: `change_me_admin_password`) |