diff --git a/cmd/api/middleware.go b/cmd/api/middleware.go
index d180f68..038bf55 100644
--- a/cmd/api/middleware.go
+++ b/cmd/api/middleware.go
@@ -152,11 +152,10 @@ func (app *application) requirePermission(code string, next http.HandlerFunc) ht
 
 func (app *application) enableCORS(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Add("Vary", "Origin")
 		w.Header().Add("Vary", "Access-Control-Request-Method")
 		origin := r.Header.Get("Origin")
-		if origin != "" {
+		if origin != "" && len(app.config.cors.trustedOrigins) != 0 {
 			for i := range app.config.cors.trustedOrigins {
 				if origin == app.config.cors.trustedOrigins[i] {
 					w.Header().Set("Access-Control-Allow-Origin", origin)
@@ -169,6 +168,14 @@ func (app *application) enableCORS(next http.Handler) http.Handler {
 					break
 				}
 			}
+		} else {
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+			if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" {
+				w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, PUT, PATCH, DELETE")
+				w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
+				w.WriteHeader(http.StatusOK)
+				return
+			}
 		}
 		next.ServeHTTP(w, r)
 	})