diff --git a/backend/server.js b/backend/server.js
index 065e29a..6c6ffe2 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -16,7 +16,22 @@ const TOKEN_SECRET = process.env.TOKEN_SECRET_KEY;
 
 // Middleware
 app.use(helmet());
-app.use(cors());
+//app.use(cors());
+const corsOptions = {
+  origin: [
+    'https://config.email-bayarea.com',
+  ],
+  methods: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'],
+  allowedHeaders: [
+    'Content-Type',
+    'Accept',
+    'Authorization',
+    'x-hide-loading',
+  ],
+  credentials: false, // true nur wenn Cookies / Auth-Headers mit credentials genutzt werden
+};
+app.use(cors(corsOptions));
+app.options('*', cors(corsOptions));
 app.use(express.json());
 app.use(morgan('dev'));