diff --git a/packages/smart-signer/lib/cors-options.ts b/packages/smart-signer/lib/cors-options.ts
index f2867e11eac05809e9c9a969fb6ceee3bdc2ff00..61954a131bf8a81344433ac4b0f7957cf5d72f21 100644
--- a/packages/smart-signer/lib/cors-options.ts
+++ b/packages/smart-signer/lib/cors-options.ts
@@ -10,7 +10,9 @@ const resolveOptionOrigin = (origin: string = ''): boolean | string => {
             return origin;
         }
     }
-    return true;
+    // Default to false (deny all) for security - fail-closed approach
+    console.warn('DENSER_SERVER_API_CORS_ALLOW_ORIGIN not set - defaulting to deny all origins');
+    return false;
 };
 
 //