diff --git a/internal/router/router.go b/internal/router/router.go
index 2141b38..fd09f7a 100644
--- a/internal/router/router.go
+++ b/internal/router/router.go
@@ -114,48 +114,16 @@ func SetupRouter(deps *Dependencies) *gin.Engine {
 	return r
 }
 
-// corsMiddleware configures CORS
+// corsMiddleware configures CORS - allowing all origins for API access
 func corsMiddleware(cfg *config.Config) gin.HandlerFunc {
-	corsConfig := cors.Config{
+	return cors.New(cors.Config{
+		AllowAllOrigins:  true,
 		AllowMethods:     []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
-		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization"},
+		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization", "X-Requested-With"},
 		ExposeHeaders:    []string{"Content-Length"},
-		AllowCredentials: true,
+		AllowCredentials: false, // Must be false when AllowAllOrigins is true
 		MaxAge:           12 * time.Hour,
-	}
-
-	// In debug mode or if no proper origins configured, allow all origins
-	if cfg.Server.Debug {
-		corsConfig.AllowAllOrigins = true
-	} else {
-		// Transform allowed hosts to proper origins with https://
-		var origins []string
-		for _, host := range cfg.Server.AllowedHosts {
-			host = strings.TrimSpace(host)
-			if host == "" {
-				continue
-			}
-			if host == "*" {
-				corsConfig.AllowAllOrigins = true
-				break
-			}
-			// If host doesn't have scheme, add https://
-			if !strings.HasPrefix(host, "http://") && !strings.HasPrefix(host, "https://") {
-				origins = append(origins, "https://"+host)
-				origins = append(origins, "http://"+host) // Also allow http for dev
-			} else {
-				origins = append(origins, host)
-			}
-		}
-		if !corsConfig.AllowAllOrigins && len(origins) > 0 {
-			corsConfig.AllowOrigins = origins
-		} else if !corsConfig.AllowAllOrigins {
-			// Fallback to allow all if no valid origins
-			corsConfig.AllowAllOrigins = true
-		}
-	}
-
-	return cors.New(corsConfig)
+	})
 }
 
 // healthCheck returns API health status