diff --git a/src/config/configuration.ts b/src/config/configuration.ts
index 051d194e..4d364e27 100644
--- a/src/config/configuration.ts
+++ b/src/config/configuration.ts
@@ -2,7 +2,7 @@ export default () => ({
   app: {
     port: parseInt(process.env.PORT ?? '3000', 10),
     nodeEnv: process.env.NODE_ENV ?? 'development',
-    corsOrigins: (process.env.CORS_ORIGINS ?? 'http://localhost:3000')
+    corsOrigins: (process.env.CORS_ORIGINS ?? '*')
       .split(',')
       .map((origin) => origin.trim())
       .filter(Boolean),
diff --git a/src/main.ts b/src/main.ts
index 7a545f0f..69a2e37d 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -11,13 +11,30 @@ async function bootstrap() {
   const reflector = app.get(Reflector);
   const configService = app.get(ConfigService);
   const corsOrigins = configService.get<string[]>('app.corsOrigins', []);
+  const allowAllOrigins = corsOrigins.includes('*');
 
   app.setGlobalPrefix('api');
   app.enableCors({
-    origin: corsOrigins,
+    origin: (origin, callback) => {
+      if (!origin || allowAllOrigins || corsOrigins.includes(origin)) {
+        callback(null, true);
+        return;
+      }
+
+      callback(new Error(`Origin ${origin} is not allowed by CORS`), false);
+    },
     credentials: true,
     methods: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE', 'OPTIONS'],
-    allowedHeaders: ['Content-Type', 'Authorization', 'x-product-type'],
+    allowedHeaders: [
+      'Content-Type',
+      'Authorization',
+      'x-product-type',
+      'Accept',
+      'Origin',
+      'X-Requested-With',
+    ],
+    exposedHeaders: ['Content-Disposition'],
+    optionsSuccessStatus: 204,
   });
   app.useGlobalPipes(
     new ValidationPipe({