diff --git a/assets/pasted-20260306-173637-e937ae31.png b/assets/pasted-20260306-173637-e937ae31.png
new file mode 100644
index 0000000..63d50d7
Binary files /dev/null and b/assets/pasted-20260306-173637-e937ae31.png differ
diff --git a/assets/vm-shot-2026-03-06T17-35-59-925Z.jpg b/assets/vm-shot-2026-03-06T17-35-59-925Z.jpg
new file mode 100644
index 0000000..42dbace
Binary files /dev/null and b/assets/vm-shot-2026-03-06T17-35-59-925Z.jpg differ
diff --git a/config/__pycache__/settings.cpython-311.pyc b/config/__pycache__/settings.cpython-311.pyc
index d79d6a7..7a6aa30 100644
Binary files a/config/__pycache__/settings.cpython-311.pyc and b/config/__pycache__/settings.cpython-311.pyc differ
diff --git a/config/settings.py b/config/settings.py
index 291d043..8ed2b6a 100644
--- a/config/settings.py
+++ b/config/settings.py
@@ -20,22 +20,54 @@ load_dotenv(BASE_DIR.parent / ".env")
 SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", "change-me")
 DEBUG = os.getenv("DJANGO_DEBUG", "true").lower() == "true"
 
+def _normalize_host(value: str) -> str:
+    value = (value or "").strip()
+    if not value:
+        return ""
+    if "://" in value:
+        value = value.split("://", 1)[1]
+    value = value.split("/", 1)[0]
+    value = value.split(":", 1)[0]
+    return value.strip()
+
+
+def _normalize_origin(value: str) -> str:
+    value = (value or "").strip().rstrip("/")
+    if not value:
+        return ""
+    if value.startswith(("http://", "https://")):
+        return value
+    host = _normalize_host(value)
+    return f"https://{host}" if host else ""
+
+
+host_fqdn = _normalize_host(os.getenv("HOST_FQDN", ""))
+extra_allowed_hosts = [
+    _normalize_host(item)
+    for item in os.getenv("ALLOWED_HOSTS", "").split(",")
+    if _normalize_host(item)
+]
+
 ALLOWED_HOSTS = [
     "127.0.0.1",
     "localhost",
-    os.getenv("HOST_FQDN", ""),
+    ".appwizzy.dev",
+    host_fqdn,
+    *extra_allowed_hosts,
 ]
+ALLOWED_HOSTS = list(dict.fromkeys([host for host in ALLOWED_HOSTS if host]))
 
-CSRF_TRUSTED_ORIGINS = [
-    origin for origin in [
-        os.getenv("HOST_FQDN", ""),
-        os.getenv("CSRF_TRUSTED_ORIGIN", "")
-    ] if origin
+csrf_origin_items = [
+    os.getenv("HOST_FQDN", ""),
+    os.getenv("CSRF_TRUSTED_ORIGIN", ""),
+    *os.getenv("CSRF_TRUSTED_ORIGINS", "").split(","),
 ]
 CSRF_TRUSTED_ORIGINS = [
-    f"https://{host}" if not host.startswith(("http://", "https://")) else host
-    for host in CSRF_TRUSTED_ORIGINS
+    "https://*.appwizzy.dev",
+    "http://*.appwizzy.dev",
+    *[_normalize_origin(origin) for origin in csrf_origin_items if _normalize_origin(origin)],
 ]
+CSRF_TRUSTED_ORIGINS = list(dict.fromkeys(CSRF_TRUSTED_ORIGINS))
 
 # Cookies must always be HTTPS-only; SameSite=Lax keeps CSRF working behind the proxy.
 SESSION_COOKIE_SECURE = True