diff --git a/netlify.toml b/netlify.toml
index e27531f..1fd9d7e 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -21,7 +21,33 @@
     X-XSS-Protection = "1; mode=block"
     X-Content-Type-Options = "nosniff"
     Referrer-Policy = "strict-origin-when-cross-origin"
-    Content-Security-Policy = "default-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+    Content-Security-Policy = """
+      default-src 'self';
+      connect-src 'self' https://bsjlbnyslxzsdwxvkaap.supabase.co wss://bsjlbnyslxzsdwxvkaap.supabase.co;
+      img-src 'self' data: https: blob:;
+      script-src 'self' 'unsafe-inline' 'unsafe-eval' https://bsjlbnyslxzsdwxvkaap.supabase.co;
+      style-src 'self' 'unsafe-inline';
+      frame-src 'self' https://bsjlbnyslxzsdwxvkaap.supabase.co;
+      font-src 'self' data:;
+      media-src 'self' https://bsjlbnyslxzsdwxvkaap.supabase.co;
+      worker-src 'self' blob:;
+    """
+    Access-Control-Allow-Origin = "https://historiasmagicas.netlify.app"
+    Access-Control-Allow-Methods = "GET, POST, PUT, DELETE, OPTIONS"
+    Access-Control-Allow-Headers = """
+      Authorization,
+      Content-Type,
+      Accept,
+      Origin,
+      User-Agent,
+      DNT,
+      Cache-Control,
+      X-Mx-ReqToken,
+      Keep-Alive,
+      X-Requested-With,
+      If-Modified-Since
+    """
+    Access-Control-Max-Age = "3600"
 
 [dev]
   command = "npm run dev"
diff --git a/supabase/config.toml b/supabase/config.toml
index 92b4d0c..d2cc46a 100644
--- a/supabase/config.toml
+++ b/supabase/config.toml
@@ -5,7 +5,11 @@ name = "Histórias Mágicas"
 [auth]
 enabled = true
 site_url = "https://historiasmagicas.netlify.app"
-additional_redirect_urls = ["https://historiasmagicas.netlify.app", "https://*.historiasmagicas.netlify.app"]
+additional_redirect_urls = [
+  "https://historiasmagicas.netlify.app/*",
+  "http://localhost:5173/*",
+  "http://localhost:3000/*"
+]
 jwt_expiry = 3600
 enable_refresh_token_rotation = true
 refresh_token_reuse_interval = 10
@@ -18,7 +22,7 @@ verify_enabled = true
 enable_signup = true
 double_confirm_changes = true
 enable_confirmations = true
-secure_password_change = false
+secure_password_change = true
 max_frequency = "1m0s"
 otp_length = 6
 otp_expiry = 86400
@@ -38,9 +42,25 @@ enabled = true
 file_size_limit = "50MB"
 
 [storage.cors]
-allowed_origins = ["*"]
+allowed_origins = [
+  "https://historiasmagicas.netlify.app",
+  "http://localhost:5173",
+  "http://localhost:3000"
+]
 allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
-allowed_headers = ["*"]
+allowed_headers = [
+  "Authorization",
+  "Content-Type",
+  "Accept",
+  "Origin",
+  "User-Agent",
+  "DNT",
+  "Cache-Control",
+  "X-Mx-ReqToken",
+  "Keep-Alive",
+  "X-Requested-With",
+  "If-Modified-Since"
+]
 exposed_headers = ["Content-Range", "Range"]
 max_age = 3600
 
@@ -53,9 +73,25 @@ max_rows = 1000
 
 [api.cors]
 enabled = true
-allowed_origins = ["*"]
+allowed_origins = [
+  "https://historiasmagicas.netlify.app",
+  "http://localhost:5173",
+  "http://localhost:3000"
+]
 allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
-allowed_headers = ["*"]
+allowed_headers = [
+  "Authorization",
+  "Content-Type",
+  "Accept",
+  "Origin",
+  "User-Agent",
+  "DNT",
+  "Cache-Control",
+  "X-Mx-ReqToken",
+  "Keep-Alive",
+  "X-Requested-With",
+  "If-Modified-Since"
+]
 exposed_headers = ["Content-Range", "Range"]
 max_age = 3600