diff --git a/sso-auth-service/index.js b/sso-auth-service/index.js
index bf0a200..d63c177 100644
--- a/sso-auth-service/index.js
+++ b/sso-auth-service/index.js
@@ -30,8 +30,8 @@ if (process.env.NODE_ENV === 'development') {
 }
 app.use(cors({
   origin: function(origin, cb) {
-    if (!origin || allowedOrigins.includes(origin) || /^http:\/\/(192\.168\.\d+\.\d+|localhost)(:\d+)?$/.test(origin)) return cb(null, true);
-    cb(new Error('CORS blocked: ' + origin));
+    if (!origin || allowedOrigins.includes(origin) || /^https?:\/\/[a-z0-9-]+\.technicalkorea\.net$/.test(origin) || /^http:\/\/(192\.168\.\d+\.\d+|localhost)(:\d+)?$/.test(origin)) return cb(null, true);
+    cb(null, false);
   },
   credentials: true
 }));
diff --git a/system1-factory/api/config/cors.js b/system1-factory/api/config/cors.js
index 8affcc1..93042fe 100644
--- a/system1-factory/api/config/cors.js
+++ b/system1-factory/api/config/cors.js
@@ -50,6 +50,12 @@ const corsOptions = {
       return callback(null, true);
     }
 
+    // *.technicalkorea.net 서브도메인 허용 (인앱 브라우저 대응)
+    if (/^https?:\/\/[a-z0-9-]+\.technicalkorea\.net$/.test(origin)) {
+      logger.debug('CORS: technicalkorea.net 서브도메인 허용', { origin });
+      return callback(null, true);
+    }
+
     // 개발 환경에서는 모든 localhost 허용
     if (process.env.NODE_ENV === 'development') {
       if (origin.includes('localhost') || origin.includes('127.0.0.1')) {
@@ -64,9 +70,9 @@ const corsOptions = {
       return callback(null, true);
     }
 
-    // 차단
+    // 차단 (500 에러 대신 CORS 헤더 미포함으로 거부)
     logger.warn('CORS: 차단된 Origin', { origin });
-    callback(new Error(`CORS 정책에 의해 차단됨: ${origin}`));
+    callback(null, false);
   },
 
   /**
diff --git a/system2-report/api/index.js b/system2-report/api/index.js
index b404a71..e1196fd 100644
--- a/system2-report/api/index.js
+++ b/system2-report/api/index.js
@@ -29,8 +29,8 @@ if (process.env.NODE_ENV === 'development') {
 }
 app.use(cors({
   origin: function(origin, cb) {
-    if (!origin || allowedOrigins.includes(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
-    cb(new Error('CORS blocked: ' + origin));
+    if (!origin || allowedOrigins.includes(origin) || /^https?:\/\/[a-z0-9-]+\.technicalkorea\.net$/.test(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
+    cb(null, false);
   },
   credentials: true
 }));
diff --git a/tkpurchase/api/index.js b/tkpurchase/api/index.js
index 973036e..42514c3 100644
--- a/tkpurchase/api/index.js
+++ b/tkpurchase/api/index.js
@@ -25,8 +25,8 @@ if (process.env.NODE_ENV === 'development') {
 }
 app.use(cors({
   origin: function(origin, cb) {
-    if (!origin || allowedOrigins.includes(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
-    cb(new Error('CORS blocked: ' + origin));
+    if (!origin || allowedOrigins.includes(origin) || /^https?:\/\/[a-z0-9-]+\.technicalkorea\.net$/.test(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
+    cb(null, false);
   },
   credentials: true
 }));
diff --git a/tksafety/api/index.js b/tksafety/api/index.js
index f79c0e9..9fb4bf6 100644
--- a/tksafety/api/index.js
+++ b/tksafety/api/index.js
@@ -27,8 +27,8 @@ if (process.env.NODE_ENV === 'development') {
 }
 app.use(cors({
   origin: function(origin, cb) {
-    if (!origin || allowedOrigins.includes(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
-    cb(new Error('CORS blocked: ' + origin));
+    if (!origin || allowedOrigins.includes(origin) || /^https?:\/\/[a-z0-9-]+\.technicalkorea\.net$/.test(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
+    cb(null, false);
   },
   credentials: true
 }));
diff --git a/tksupport/api/index.js b/tksupport/api/index.js
index 44c20fb..7d78ddd 100644
--- a/tksupport/api/index.js
+++ b/tksupport/api/index.js
@@ -23,8 +23,8 @@ if (process.env.NODE_ENV === 'development') {
 }
 app.use(cors({
   origin: function(origin, cb) {
-    if (!origin || allowedOrigins.includes(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
-    cb(new Error('CORS blocked: ' + origin));
+    if (!origin || allowedOrigins.includes(origin) || /^https?:\/\/[a-z0-9-]+\.technicalkorea\.net$/.test(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
+    cb(null, false);
   },
   credentials: true
 }));
diff --git a/user-management/api/index.js b/user-management/api/index.js
index ede2766..f5d5974 100644
--- a/user-management/api/index.js
+++ b/user-management/api/index.js
@@ -42,8 +42,8 @@ if (process.env.NODE_ENV === 'development') {
 }
 app.use(cors({
   origin: function(origin, cb) {
-    if (!origin || allowedOrigins.includes(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
-    cb(new Error('CORS blocked: ' + origin));
+    if (!origin || allowedOrigins.includes(origin) || /^https?:\/\/[a-z0-9-]+\.technicalkorea\.net$/.test(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
+    cb(null, false);
   },
   credentials: true
 }));