diff --git a/app/Config/Routes.php b/app/Config/Routes.php
index 03c1b3e..5420267 100644
--- a/app/Config/Routes.php
+++ b/app/Config/Routes.php
@@ -98,18 +98,20 @@ $routes->group('api/v1', ['namespace' => 'App\Controllers\Api\V1', 'filter' => [
 });
 $routes->get('/themes', 'ThemeStore::index');
 $routes->options('/themes', static function () {
-    header('Access-Control-Allow-Origin: http://localhost:5173');
+    $origin = service('request')->getHeaderLine('Origin') ?: '*';
+    header('Access-Control-Allow-Origin: ' . $origin);
     header('Access-Control-Allow-Methods: GET, OPTIONS');
-    header('Access-Control-Allow-Headers: Content-Type, Accept, Fetch');
-    header('Access-Control-Allow-Credentials: true');
+    header('Access-Control-Allow-Headers: Content-Type, Accept');
+    header('Vary: Origin');
     return response()->setStatusCode(204);
 });
 $routes->post('/themes/upload', 'ThemeStore::upload');
 $routes->options('/themes/upload', static function () {
-    header('Access-Control-Allow-Origin: http://localhost:5173');
+    $origin = service('request')->getHeaderLine('Origin') ?: '*';
+    header('Access-Control-Allow-Origin: ' . $origin);
     header('Access-Control-Allow-Methods: POST, OPTIONS');
-    header('Access-Control-Allow-Headers: Content-Type, Accept, Fetch');
-    header('Access-Control-Allow-Credentials: true');
+    header('Access-Control-Allow-Headers: Content-Type, Accept');
+    header('Vary: Origin');
     return response()->setStatusCode(204);
 });
 $routes->get('/themes/preview/(:segment)', 'ThemeStore::preview/$1');
diff --git a/app/Controllers/ThemeStore.php b/app/Controllers/ThemeStore.php
index d3a26db..bbbc658 100644
--- a/app/Controllers/ThemeStore.php
+++ b/app/Controllers/ThemeStore.php
@@ -24,8 +24,9 @@ class ThemeStore extends BaseController
         }
 
         if ($this->request->isAJAX() || $this->request->hasHeader('Fetch') || str_contains($this->request->getHeaderLine('Accept'), 'application/json')) {
-            header('Access-Control-Allow-Origin: http://localhost:5173');
-            header('Access-Control-Allow-Credentials: true');
+            $origin = $this->request->getHeaderLine('Origin') ?: '*';
+            header('Access-Control-Allow-Origin: ' . $origin);
+            header('Vary: Origin');
             return $this->response->setJSON($themes);
         }
 
@@ -38,8 +39,9 @@ class ThemeStore extends BaseController
 
     public function upload(): Response
     {
-        header('Access-Control-Allow-Origin: http://localhost:5173');
-        header('Access-Control-Allow-Credentials: true');
+        $origin = $this->request->getHeaderLine('Origin') ?: '*';
+        header('Access-Control-Allow-Origin: ' . $origin);
+        header('Vary: Origin');
 
         $file        = $this->request->getFile('theme_css');
         $displayName = trim($this->request->getPost('display_name') ?? '');