On first deploy, the backend needs a CORS origin but the frontend has no public URL yet. Attempting to set CORS_ALLOW_ORIGIN=* as a placeholder works but is insecure in prod. Resolution: deploy backend first with CORS_ALLOW_ORIGIN unset (defaults to *), generate the frontend domain, then update the backend env var and let Railway redeploy. Takes ~60s extra per full deploy cycle.
Two-service Railway deploys where frontend and backend are separate services in the same project.
