diff --git a/config.yaml b/config.yaml
index 23f7eba..3911ce2 100644
--- a/config.yaml
+++ b/config.yaml
@@ -1,5 +1,5 @@
 server:
-  port: ":8080"
+  port: "0.0.0.0:8080"
 
 # JWT_SECRET can be set via env var JWT_SECRET to override this.
 jwt_secret: "VerySecretJwtKeyForLocalDevelopmentChangeThis"
diff --git a/go.sum b/go.sum
index d7b887d..f1c9d69 100644
--- a/go.sum
+++ b/go.sum
@@ -1,13 +1,7 @@
-github.com/go-chi/chi/v5 v5.2.0 h1:Aj1EtB0qR2Rdo2dG4O94RIU35w2lvQSj6BRA4+qwFL0=
-github.com/go-chi/chi/v5 v5.2.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
 github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
-github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
-github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/rs/cors v1.10.0 h1:62NOS1h+r8p1mW6FM0FSB0exioXLhd/sh15KpjWBZ+8=
-github.com/rs/cors v1.10.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
diff --git a/main.go b/main.go
index f67c162..1740836 100644
--- a/main.go
+++ b/main.go
@@ -236,18 +236,10 @@ func buildRouter(cfg *Config) chi.Router {
 	r.Use(middleware.Recoverer)
 
 	// CORS
-	allowedOrigins := []string{"http://localhost:3000"}
-	if env := os.Getenv("FRONTEND_ORIGINS"); env != "" {
-		for _, origin := range strings.Split(env, ",") {
-			if strings.TrimSpace(origin) != "" {
-				allowedOrigins = append(allowedOrigins, strings.TrimSpace(origin))
-			}
-		}
-	}
 	corsMw := cors.New(cors.Options{
-		AllowedOrigins:   allowedOrigins,
+		AllowedOrigins:   []string{"*"},
 		AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
-		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "X-User-Subject", "X-User-Id", "X-User-Roles"},
 		ExposedHeaders:   []string{"Link"},
 		AllowCredentials: true,
 		MaxAge:           300,