diff --git a/Back/main.py b/Back/main.py
index c28263c..d0f3dce 100644
--- a/Back/main.py
+++ b/Back/main.py
@@ -1,5 +1,5 @@
 from contextlib import asynccontextmanager
-from fastapi import FastAPI, Depends
+from fastapi import FastAPI, Depends, Request
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi_swagger import patch_fastapi
 
@@ -35,7 +35,7 @@ async def lifespan(app: FastAPI):
     await close_livekit_api()
     await redis_client.close()
 
-global_limiter = RateLimiter(requests=120, window_seconds=60, scope="global")
+global_limiter = RateLimiter(requests=30, window_seconds=60, scope="global")
 
 app = FastAPI(
     title="NEDA API",
@@ -54,21 +54,21 @@ patch_fastapi(app,docs_url="/swagger")
 
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=[
+        "https://pathfinder.wikm.ir",
+        "http://localhost:8000",
+    ],
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "*"], # محدود کردن متدها
+    allow_headers=["Authorization", "Content-Type"], # محدود کردن هدرها
 )
-# app.add_middleware(
-#     CORSMiddleware,
-#     allow_origins=[
-#         "https://app.neda.com",
-#         "http://localhost:3000" # فقط برای تست برنامه‌نویس فرانت‌اند
-#     ],
-#     allow_credentials=True,
-#     allow_methods=["GET", "POST", "PUT", "DELETE"], # محدود کردن متدها
-#     allow_headers=["Authorization", "Content-Type"], # محدود کردن هدرها
-# )
+
+@app.middleware("http")
+async def add_security_headers(request: Request, call_next):
+    response = await call_next(request)
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["X-Frame-Options"] = "DENY"
+    return response
 
 # -------------------------
 # Routers