diff --git a/backend/main.go b/backend/main.go
index 161358a..5431d1b 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"log"
 	"os"
+	"net/http"
 
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
@@ -42,17 +43,27 @@ func main() {
 	r.Use(cors.New(cors.Config{
 		AllowOrigins:     []string{"*"},
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD"},
-		AllowHeaders:     []string{"*"},
+		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization", "X-Requested-With", "Range", "Accept-Language", "Accept-Encoding", "Cache-Control", "Pragma", "If-Modified-Since"},
 		ExposeHeaders:    []string{"*"},
-		AllowCredentials: false, // Must be false when using wildcard origins
-		AllowOriginFunc: func(origin string) bool {
-			return true // Allow all origins
-		},
+		AllowCredentials: false,
+		AllowOriginFunc: func(origin string) bool { return true },
 	}))
 
 	// Routes
 	setupRoutes(r)
 
+	// Global preflight handler for any path
+	r.OPTIONS("/*path", func(c *gin.Context) {
+		c.Header("Access-Control-Allow-Origin", "*")
+		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD")
+		reqHeaders := c.GetHeader("Access-Control-Request-Headers")
+		if reqHeaders == "" {
+			reqHeaders = "Origin, Content-Type, Accept, Authorization, X-Requested-With, Range, Accept-Language, Accept-Encoding, Cache-Control, Pragma, If-Modified-Since"
+		}
+		c.Header("Access-Control-Allow-Headers", reqHeaders)
+		c.Status(http.StatusNoContent)
+	})
+
 	// Start server
 	port := os.Getenv("PORT")
 	if port == "" {
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index 531be1f..a4159f5 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -16,6 +16,15 @@ server {
     location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf|eot)$ {
         expires 1y;
         add_header Cache-Control "public, immutable";
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' '*' always;
+        add_header 'Access-Control-Expose-Headers' '*' always;
+        add_header 'Access-Control-Max-Age' '3600' always;
+
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
     }
 
     # API proxy to backend
@@ -50,6 +59,12 @@ server {
         add_header 'Access-Control-Allow-Origin' '*' always;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD' always;
         add_header 'Access-Control-Allow-Headers' '*' always;
+        add_header 'Access-Control-Expose-Headers' '*' always;
+        add_header 'Access-Control-Max-Age' '3600' always;
+
+        if ($request_method = 'OPTIONS') {
+            return 204;
+        }
         
         try_files $uri $uri/ /index.html;
     }
@@ -59,3 +74,4 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
 }
+