diff --git a/config/runtime.exs b/config/runtime.exs
index 4d26464..4610551 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -35,12 +35,6 @@ if amqp_url do
   config :policy_service, :amqp_url, amqp_url
 end
 
-cors_origin = System.get_env("CORS_ORIGIN", "*")
-
-config :cors_plug,
-  origin: cors_origin,
-  allow_headers: ["*"]
-
 # Zitadel Configuration
 
 # ## Using releases
diff --git a/lib/policy_service_web/endpoint.ex b/lib/policy_service_web/endpoint.ex
index 027d793..e21f913 100644
--- a/lib/policy_service_web/endpoint.ex
+++ b/lib/policy_service_web/endpoint.ex
@@ -42,7 +42,6 @@ defmodule PolicyServiceWeb.Endpoint do
     pass: ["*/*"],
     json_decoder: Phoenix.json_library()
 
-  plug CORSPlug
   plug Plug.MethodOverride
   plug Plug.Head
   plug Plug.Session, @session_options
diff --git a/lib/policy_service_web/router.ex b/lib/policy_service_web/router.ex
index b08ebe0..e9a769d 100644
--- a/lib/policy_service_web/router.ex
+++ b/lib/policy_service_web/router.ex
@@ -5,6 +5,10 @@ defmodule PolicyServiceWeb.Router do
   alias PolicyServiceWeb.HealthController
 
   pipeline :api do
+    plug CORSPlug,
+      origin: ["*"],
+      headers: ["authorization", "content-type", "accept", "x-organization-id"]
+
     plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
   end