diff --git a/app.js b/app.js
index 992bc95..9d08327 100644
--- a/app.js
+++ b/app.js
@@ -69,8 +69,15 @@ app.use(helmet({
   },
 }));
 app.use(cors({
-  origin: config.cors.origin,
+  origin: (origin, callback) => {
+    // Allow requests with no origin (mobile apps, Postman, server-to-server)
+    if (!origin) return callback(null, true);
+    // Allow all origins but still support credentials
+    return callback(null, true);
+  },
   credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
 }));
 
 /**