set cors in api pipeline

config/runtime.exs

@@ -35,12 +35,6 @@ if amqp_url do
   config :policy_service, :amqp_url, amqp_url
 end
 
-cors_origin = System.get_env("CORS_ORIGIN", "*")
-
-config :cors_plug,
-  origin: cors_origin,
-  allow_headers: ["*"]
-
 # Zitadel Configuration
 
 # ## Using releases

lib/policy_service_web/endpoint.ex

@@ -42,7 +42,6 @@ defmodule PolicyServiceWeb.Endpoint do
     pass: ["*/*"],
     json_decoder: Phoenix.json_library()
 
-  plug CORSPlug
   plug Plug.MethodOverride
   plug Plug.Head
   plug Plug.Session, @session_options

lib/policy_service_web/router.ex

@@ -5,6 +5,10 @@ defmodule PolicyServiceWeb.Router do
   alias PolicyServiceWeb.HealthController
 
   pipeline :api do
+    plug CORSPlug,
+      origin: ["*"],
+      headers: ["authorization", "content-type", "accept", "x-organization-id"]
+
     plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
   end