diff --git a/ots-signs/layoutauth.html b/ots-signs/layoutauth.html
index 9884e5d..2cbebec 100644
--- a/ots-signs/layoutauth.html
+++ b/ots-signs/layoutauth.html
@@ -195,7 +195,7 @@
       .catch(function () {
         // Not authenticated — send to the CMS login page, preserving the return URL
         var returnUrl = encodeURIComponent(window.location.href);
-        var loginUrl = window.location.origin + "/" + slug + "/cms/login?redirect=" + returnUrl;
+        var loginUrl = window.location.origin + cmsBase + "/login?redirect=" + returnUrl;
         window.location.replace(loginUrl);
       });
     })();
diff --git a/ots-signs/views/layout-designer-page.twig b/ots-signs/views/layout-designer-page.twig
index 28d03cc..971e812 100644
--- a/ots-signs/views/layout-designer-page.twig
+++ b/ots-signs/views/layout-designer-page.twig
@@ -576,8 +576,9 @@
             ? document.getElementById('layout-editor').getAttribute('data-layout-id')
             : null;
 
-        // TODO: For production, restrict targetOrigin to your app's domain
-        var targetOrigin = '*';
+        // Restrict postMessage to the known React app origin.
+        // window.location.origin is the CMS origin; the parent app is on the same host.
+        var targetOrigin = window.location.origin;
 
         /**
          * Send a message to the parent window.