diff --git a/docker/gateway_docker_params.yaml b/docker/gateway_docker_params.yaml
index 160dbb66d..1d4049a57 100644
--- a/docker/gateway_docker_params.yaml
+++ b/docker/gateway_docker_params.yaml
@@ -7,3 +7,13 @@ ros2_medkit_gateway:
       host: "0.0.0.0"
       port: 8080
     refresh_interval_ms: 2000
+    # The web UI runs as a separate origin (its own host/port), so the
+    # documented "run the web UI next to the gateway" path needs CORS. Without
+    # it the browser gets "Failed to fetch". These are the default web UI
+    # origins; a wildcard is deliberately NOT used - with auth disabled and
+    # write methods enabled it would let any site drive cross-origin writes.
+    # Add your own UI origin(s) here, and enable JWT auth for production.
+    cors:
+      allowed_origins:
+        - "http://localhost:3000"
+        - "http://localhost:5173"
diff --git a/docs/tutorials/docker.rst b/docs/tutorials/docker.rst
index 61cbf9fb7..84c042e67 100644
--- a/docs/tutorials/docker.rst
+++ b/docs/tutorials/docker.rst
@@ -67,8 +67,10 @@ Test the gateway:
 Custom Configuration
 --------------------
 
-The default configuration listens on ``0.0.0.0:8080`` with CORS disabled.
-To use a custom configuration, mount a params file:
+The default configuration listens on ``0.0.0.0:8080``. CORS is enabled for the
+default web UI origins (``http://localhost:3000`` and ``http://localhost:5173``)
+so the web UI works out of the box; add your own UI origin(s) as needed (see
+`CORS for Web UI`_ below). To use a custom configuration, mount a params file:
 
 .. code-block:: bash
 
@@ -211,8 +213,10 @@ For containers to discover each other's ROS 2 nodes, use the same ``ROS_DOMAIN_I
 CORS for Web UI
 ---------------
 
-When the Web UI runs in a separate container or host, enable CORS in your
-custom params file. CORS is disabled by default for production safety:
+The image enables CORS for the default web UI origins (``http://localhost:3000``
+and ``http://localhost:5173``). A wildcard is deliberately not used: with auth
+disabled and write methods enabled it would let any site drive cross-origin
+writes. Add your own UI origin(s):
 
 .. code-block:: yaml