diff --git a/README.md b/README.md
index 11e389c..09c6016 100644
--- a/README.md
+++ b/README.md
@@ -194,9 +194,9 @@ The API has CORS (Cross-Origin Resource Sharing) enabled with the following conf
   - http://localhost
   - http://localhost:3000
   - https://v0-ecommerce-app-build-swart.vercel.app
-  - *
 
 - Allowed methods: GET, POST, PUT, DELETE, OPTIONS, PATCH
-- Allowed headers: Content-Type, Authorization, Accept, Origin, X-Requested-With, X-CSRF-Token
-- Exposed headers: Content-Length
+- Allowed headers: Content-Type, Authorization, Accept, Origin, X-Requested-With, X-CSRF-Token, Access-Control-Allow-Credentials
+- Exposed headers: Content-Length, Content-Type
+- Credentials support: Enabled
 - Max age for preflight requests: 600 seconds (10 minutes)
\ No newline at end of file
diff --git a/app/core/config.py b/app/core/config.py
index 5544e0f..e714593 100644
--- a/app/core/config.py
+++ b/app/core/config.py
@@ -26,8 +26,7 @@ class Settings(BaseSettings):
     CORS_ORIGINS: List[str] = [
         "http://localhost",
         "http://localhost:3000",
-        "https://v0-ecommerce-app-build-swart.vercel.app",
-        "*"
+        "https://v0-ecommerce-app-build-swart.vercel.app"
     ]
     
     # Security settings
diff --git a/main.py b/main.py
index fb4d0c6..343d545 100644
--- a/main.py
+++ b/main.py
@@ -20,8 +20,8 @@ app.add_middleware(
     allow_origins=settings.CORS_ORIGINS,
     allow_credentials=True,
     allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"],
-    allow_headers=["Content-Type", "Authorization", "Accept", "Origin", "X-Requested-With", "X-CSRF-Token"],
-    expose_headers=["Content-Length"],
+    allow_headers=["Content-Type", "Authorization", "Accept", "Origin", "X-Requested-With", "X-CSRF-Token", "Access-Control-Allow-Credentials"],
+    expose_headers=["Content-Length", "Content-Type"],
     max_age=600,  # 10 minutes cache for preflight requests
 )