diff --git a/packages/fastify-core/src/create-app.ts b/packages/fastify-core/src/create-app.ts
index 9c947446..3063eb8a 100644
--- a/packages/fastify-core/src/create-app.ts
+++ b/packages/fastify-core/src/create-app.ts
@@ -30,8 +30,8 @@ export async function createServiceApp(options: ServiceAppOptions): Promise<Fast
 
   const app = Fastify({ logger });
 
-  // CORS
-  const origin = corsOrigin ? corsOrigin.split(',').map(o => o.trim()) : true;
+  // CORS — deny all origins when CORS_ORIGIN is not explicitly set
+  const origin = corsOrigin ? corsOrigin.split(',').map(o => o.trim()) : false;
   await app.register(cors, { origin });
 
   // OpenAPI spec (optional — consumer must have @fastify/swagger installed)
diff --git a/packages/fastify-core/src/start.ts b/packages/fastify-core/src/start.ts
index a2addd17..e74160e9 100644
--- a/packages/fastify-core/src/start.ts
+++ b/packages/fastify-core/src/start.ts
@@ -6,6 +6,16 @@ import type { FastifyApp, StartOptions } from './types.js';
 
 export async function startService(app: FastifyApp, options: StartOptions): Promise<void> {
   const { port, host = '0.0.0.0' } = options;
+
+  // Graceful shutdown on SIGTERM/SIGINT (Docker, K8s, Ctrl-C)
+  for (const signal of ['SIGTERM', 'SIGINT'] as const) {
+    process.on(signal, async () => {
+      app.log.info(`Received ${signal}, shutting down gracefully…`);
+      await app.close();
+      process.exit(0);
+    });
+  }
+
   try {
     await app.listen({ port, host });
     app.log.info(`Service listening on ${host}:${port}`);