diff --git a/src/dashboard/app.py b/src/dashboard/app.py
index c5021ab4..262aa8bd 100644
--- a/src/dashboard/app.py
+++ b/src/dashboard/app.py
@@ -484,12 +484,14 @@ app = FastAPI(
 
 
 def _get_cors_origins() -> list[str]:
-    """Get CORS origins from settings, with sensible defaults."""
+    """Get CORS origins from settings, rejecting wildcards in production."""
     origins = settings.cors_origins
     if "*" in origins and not settings.debug:
         logger.warning(
-            "CORS wildcard '*' used in non-debug mode; set CORS_ORIGINS to restrict allowed origins"
+            "Wildcard '*' in CORS_ORIGINS stripped in production — "
+            "set explicit origins via CORS_ORIGINS env var"
         )
+        origins = [o for o in origins if o != "*"]
     return origins