diff --git a/dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java b/dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java
index c96dce91e..7de0f77a2 100644
--- a/dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java
+++ b/dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java
@@ -34,7 +34,10 @@ public record AdkWebCorsProperties(
 
   public AdkWebCorsProperties {
     mapping = mapping != null ? mapping : "/**";
-    origins = origins != null && !origins.isEmpty() ? origins : List.of("*");
+    origins =
+        origins != null && !origins.isEmpty()
+            ? origins
+            : List.of("http://localhost:8080", "http://127.0.0.1:8080");
     methods =
         methods != null && !methods.isEmpty()
             ? methods
diff --git a/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java b/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java
index d3c09cf8b..a17d72aff 100644
--- a/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java
+++ b/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java
@@ -16,6 +16,7 @@
 
 package com.google.adk.web.websocket;
 
+import com.google.adk.web.config.AdkWebCorsProperties;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.socket.config.annotation.EnableWebSocket;
@@ -28,14 +29,19 @@
 public class WebSocketConfig implements WebSocketConfigurer {
 
   private final LiveWebSocketHandler liveWebSocketHandler;
+  private final AdkWebCorsProperties corsProperties;
 
   @Autowired
-  public WebSocketConfig(LiveWebSocketHandler liveWebSocketHandler) {
+  public WebSocketConfig(
+      LiveWebSocketHandler liveWebSocketHandler, AdkWebCorsProperties corsProperties) {
     this.liveWebSocketHandler = liveWebSocketHandler;
+    this.corsProperties = corsProperties;
   }
 
   @Override
   public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
-    registry.addHandler(liveWebSocketHandler, "/run_live").setAllowedOrigins("*");
+    registry
+        .addHandler(liveWebSocketHandler, "/run_live")
+        .setAllowedOrigins(corsProperties.origins().toArray(new String[0]));
   }
 }