diff --git a/infra/README.md b/infra/README.md
index dc91654b8..61e442da3 100644
--- a/infra/README.md
+++ b/infra/README.md
@@ -388,12 +388,6 @@ az deployment group create \
 4. **Manage access** — Add or remove users via Entra security groups
    (`allowedGroupObjectIds`). Each group must also be assigned to the enterprise app.
 
-5. **Set CORS origins** for production (the Bicep template does not set this):
-   ```bash
-   az containerapp update -n <appName> -g <rg> \
-     --set-env-vars "PYRIT_CORS_ORIGINS=https://$FQDN"
-   ```
-
 ## Access the GUI
 
 ```bash
diff --git a/infra/main.bicep b/infra/main.bicep
index 833b6fcc7..d4efac8d9 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -475,6 +475,13 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
               name: 'AZURE_CLIENT_ID'
               value: managedIdentity.properties.clientId
             }
+            // CORS origin for the SPA. The ACA-generated FQDN is deterministic
+            // (<appName>.<envDefaultDomain>), so we compute it from upstream
+            // resources rather than self-referencing containerApp.
+            {
+              name: 'PYRIT_CORS_ORIGINS'
+              value: 'https://${appName}.${acaEnvironment.properties.defaultDomain}'
+            }
           ]
         }
       ]