diff --git a/src/main/java/icu/samnyan/aqua/spring/SecurityConfig.kt b/src/main/java/icu/samnyan/aqua/spring/SecurityConfig.kt
index f5aaa776..537b7dd8 100644
--- a/src/main/java/icu/samnyan/aqua/spring/SecurityConfig.kt
+++ b/src/main/java/icu/samnyan/aqua/spring/SecurityConfig.kt
@@ -6,10 +6,22 @@ import org.springframework.security.config.Customizer
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.web.SecurityFilterChain
+import org.springframework.web.cors.CorsConfiguration
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource
+
 
 @Configuration
 @EnableWebSecurity
-class SecurityConfig() {
+class SecurityConfig {
+    @Bean
+    fun corsConfigurationSource() = UrlBasedCorsConfigurationSource().apply {
+        registerCorsConfiguration("/api/**", CorsConfiguration().apply {
+            allowedOrigins = listOf("*")
+            allowedMethods = listOf("GET", "POST", "PUT", "DELETE", "OPTIONS")
+            allowedHeaders = listOf("*")
+        })
+    }
+
     @Bean
     fun configure(http: HttpSecurity): SecurityFilterChain = http
         .headers { it.disable() }