diff --git a/config/runtime.exs b/config/runtime.exs
index 8c90c0f..9dcf261 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -39,7 +39,21 @@ cors_origin = System.get_env("CORS_ORIGIN", "*")
 
 config :cors_plug,
   origin: cors_origin,
-  headers: ["*"]
+  headers: [
+        "Authorization",
+        "x-organization-id"
+        "Content-Type",
+        "Accept",
+        "Origin",
+        "User-Agent",
+        "DNT",
+        "Cache-Control",
+        "X-Mx-ReqToken",
+        "Keep-Alive",
+        "X-Requested-With",
+        "If-Modified-Since",
+        "X-CSRF-Token"
+      ]
 
 # Zitadel Configuration
 
@@ -108,6 +122,7 @@ if config_env() == :prod do
     required_scopes: [
       "openid",
       "profile",
-      "urn:zitadel:iam:org:project:#{System.get_env("ZITADEL_PROJECT_ID")}:roles"
+      "urn:zitadel:iam:org:project:#{System.get_env("ZITADEL_PROJECT_ID")}:roles",
+      "urn:zitadel:iam:org:project:#{System.get_env("ZITADEL_PROJECT_ID")}:aud"
     ]
 end