diff --git a/packages/backend/src/main.ts b/packages/backend/src/main.ts
index 90bc09e..4951466 100644
--- a/packages/backend/src/main.ts
+++ b/packages/backend/src/main.ts
@@ -19,9 +19,21 @@ export async function buildApp() {
   const app = Fastify({
     logger: {
       level: process.env.LOG_LEVEL ?? 'info',
-      ...(process.env.NODE_ENV === 'development' ? { transport: { target: 'pino-pretty' } } : {}),
+      ...(process.env.NODE_ENV === 'development'
+        ? { transport: { target: 'pino-pretty' } }
+        : process.env.LOG_FILE
+          ? {
+              transport: {
+                targets: [
+                  { target: 'pino/file', options: { destination: 1 } }, // stdout
+                  { target: 'pino/file', options: { destination: process.env.LOG_FILE, mkdir: true } },
+                ],
+              },
+            }
+          : {}),
     },
     genReqId: () => crypto.randomUUID(),
+    requestTimeout: 30000, // 30 seconds
   })
 
   // Plugins
diff --git a/packages/backend/src/plugins/cors.ts b/packages/backend/src/plugins/cors.ts
index 9a66099..8b332b2 100644
--- a/packages/backend/src/plugins/cors.ts
+++ b/packages/backend/src/plugins/cors.ts
@@ -2,7 +2,16 @@ import fp from 'fastify-plugin'
 import cors from '@fastify/cors'
 
 export const corsPlugin = fp(async (app) => {
-  await app.register(cors, {
-    origin: process.env.NODE_ENV === 'development' ? true : false,
-  })
+  const corsOrigins = process.env.CORS_ORIGINS
+  let origin: boolean | string[]
+
+  if (process.env.NODE_ENV === 'development') {
+    origin = true // allow all in dev
+  } else if (corsOrigins) {
+    origin = corsOrigins.split(',').map((o) => o.trim())
+  } else {
+    origin = false
+  }
+
+  await app.register(cors, { origin })
 })
diff --git a/packages/shared/src/schemas/auth.schema.ts b/packages/shared/src/schemas/auth.schema.ts
index 445f583..9fad053 100644
--- a/packages/shared/src/schemas/auth.schema.ts
+++ b/packages/shared/src/schemas/auth.schema.ts
@@ -5,7 +5,7 @@ export type UserRole = z.infer<typeof UserRole>
 
 export const RegisterSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(8).max(128),
+  password: z.string().min(12).max(128),
   firstName: z.string().min(1).max(100),
   lastName: z.string().min(1).max(100),
   role: UserRole.default('staff'),
diff --git a/packages/shared/src/schemas/pagination.schema.ts b/packages/shared/src/schemas/pagination.schema.ts
index 89d05a0..8f1faca 100644
--- a/packages/shared/src/schemas/pagination.schema.ts
+++ b/packages/shared/src/schemas/pagination.schema.ts
@@ -5,7 +5,7 @@ export const PaginationSchema = z.object({
   limit: z.coerce.number().int().min(1).max(100).default(25),
   sort: z.string().max(50).optional(),
   order: z.enum(['asc', 'desc']).default('asc'),
-  q: z.string().max(255).optional(),
+  q: z.preprocess((v) => (v === '' ? undefined : v), z.string().max(255).optional()),
 })
 export type PaginationInput = z.infer<typeof PaginationSchema>