diff --git a/backend/.env.example b/backend/.env.example
new file mode 100644
index 0000000..81d2de0
--- /dev/null
+++ b/backend/.env.example
@@ -0,0 +1,4 @@
+# Backend Configuration
+PORT=3001
+API_HOST=localhost
+CORS_ORIGINS=http://localhost:3000
diff --git a/backend/server.js b/backend/server.js
index cd5cbb0..d2a4b00 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -1,5 +1,7 @@
 // CVE Management Backend API
-// Install: npm install express sqlite3 multer cors
+// Install: npm install express sqlite3 multer cors dotenv
+
+require('dotenv').config();
 
 const express = require('express');
 const sqlite3 = require('sqlite3').verbose();
@@ -9,7 +11,11 @@ const path = require('path');
 const fs = require('fs');
 
 const app = express();
-const PORT = 3001;
+const PORT = process.env.PORT || 3001;
+const API_HOST = process.env.API_HOST || 'localhost';
+const CORS_ORIGINS = process.env.CORS_ORIGINS
+    ? process.env.CORS_ORIGINS.split(',')
+    : ['http://localhost:3000'];
 
 // Log all incoming requests
 app.use((req, res, next) => {
@@ -19,7 +25,7 @@ app.use((req, res, next) => {
 
 // Middleware
 app.use(cors({
-  origin: ['http://localhost:3000', 'http://192.168.2.117:3000'],
+  origin: CORS_ORIGINS,
   credentials: true
 }));
 app.use(express.json());
@@ -382,5 +388,6 @@ app.get('/api/stats', (req, res) => {
 
 // Start server
 app.listen(PORT, () => {
-    console.log(`CVE API server running on http://localhost:${PORT}`);
+    console.log(`CVE API server running on http://${API_HOST}:${PORT}`);
+    console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
 });
diff --git a/frontend/.env.example b/frontend/.env.example
new file mode 100644
index 0000000..cfc2405
--- /dev/null
+++ b/frontend/.env.example
@@ -0,0 +1,5 @@
+# Frontend Configuration
+# API_BASE should include the /api path
+REACT_APP_API_BASE=http://localhost:3001/api
+# API_HOST is used for direct file URLs (no /api)
+REACT_APP_API_HOST=http://localhost:3001
diff --git a/frontend/src/App.js b/frontend/src/App.js
index 78fcf91..d909e2a 100644
--- a/frontend/src/App.js
+++ b/frontend/src/App.js
@@ -1,7 +1,8 @@
 import React, { useState, useEffect } from 'react';
 import { Search, FileText, AlertCircle, Download, Upload, Eye, Filter, CheckCircle, XCircle, Loader, Trash2, Plus } from 'lucide-react';
 
-const API_BASE = 'http://192.168.2.117:3001/api';
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+const API_HOST = process.env.REACT_APP_API_HOST || 'http://localhost:3001';
 
 const severityLevels = ['All Severities', 'Critical', 'High', 'Medium', 'Low'];
 
@@ -625,8 +626,8 @@ export default function App() {
                                         </div>
                                       </div>
                                       <div className="flex gap-2">
-                                        <a 
-                                          href={`http://192.168.2.117:3001/${doc.file_path}`}
+                                        <a
+                                          href={`${API_HOST}/${doc.file_path}`}
                                           target="_blank"
                                           rel="noopener noreferrer"
                                           className="px-3 py-1 text-sm text-[#0476D9] hover:bg-blue-50 rounded transition-colors border border-[#0476D9]"
diff --git a/package.json b/package.json
index 3c4a60f..71947f0 100644
--- a/package.json
+++ b/package.json
@@ -11,6 +11,7 @@
   "license": "ISC",
   "dependencies": {
     "cors": "^2.8.6",
+    "dotenv": "^16.6.1",
     "express": "^5.2.1",
     "multer": "^2.0.2",
     "sqlite3": "^5.1.7"