diff --git a/config/__pycache__/settings.cpython-311.pyc b/config/__pycache__/settings.cpython-311.pyc
index f77a9c1..90dfc3c 100644
Binary files a/config/__pycache__/settings.cpython-311.pyc and b/config/__pycache__/settings.cpython-311.pyc differ
diff --git a/config/settings.py b/config/settings.py
index 1e5f14d..3214c3a 100644
--- a/config/settings.py
+++ b/config/settings.py
@@ -20,21 +20,34 @@ load_dotenv(BASE_DIR.parent / ".env")
 SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", "change-me")
 DEBUG = os.getenv("DJANGO_DEBUG", "true").lower() == "true"
 
+def _host_from_env(value):
+    return value.replace("https://", "").replace("http://", "").split("/")[0].strip()
+
+
 ALLOWED_HOSTS = [
-    "127.0.0.1",
-    "localhost",
-    os.getenv("HOST_FQDN", ""),
+    host for host in [
+        "127.0.0.1",
+        "localhost",
+        ".appwizzy.dev",
+        ".dev.flatlogic.app",
+        _host_from_env(os.getenv("HOST_FQDN", "")),
+        _host_from_env(os.getenv("FULL_DOMAIN", "")),
+    ] if host
 ]
 
 CSRF_TRUSTED_ORIGINS = [
     origin for origin in [
+        "https://*.appwizzy.dev",
+        "http://*.appwizzy.dev",
+        "https://*.dev.flatlogic.app",
         os.getenv("HOST_FQDN", ""),
+        os.getenv("FULL_DOMAIN", ""),
         os.getenv("CSRF_TRUSTED_ORIGIN", "")
     ] if origin
 ]
 CSRF_TRUSTED_ORIGINS = [
-    f"https://{host}" if not host.startswith(("http://", "https://")) else host
-    for host in CSRF_TRUSTED_ORIGINS
+    f"https://{origin}" if not origin.startswith(("http://", "https://")) else origin
+    for origin in CSRF_TRUSTED_ORIGINS
 ]
 
 # Cookies must always be HTTPS-only; SameSite=Lax keeps CSRF working behind the proxy.