diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 3609b62..8dde7eb 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -15,23 +15,21 @@ const SECURITY_HEADERS = {
   "Referrer-Policy": "strict-origin-when-cross-origin",
 };
 
+const CORS_HEADERS: Record<string, string> = {
+  "access-control-allow-credentials": "true",
+  "access-control-allow-methods": "GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS",
+  "access-control-allow-headers": "Content-Type, Authorization",
+};
+
 const app = new Elysia()
-  .onAfterHandle(({ set, request }) => {
-    Object.assign(set.headers, SECURITY_HEADERS);
+  .onRequest(({ request, set }) => {
     const origin = request.headers.get("origin") || "*";
     set.headers["access-control-allow-origin"] = origin;
-    set.headers["access-control-allow-credentials"] = "true";
-    set.headers["access-control-allow-methods"] = "GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS";
-    set.headers["access-control-allow-headers"] = "Content-Type, Authorization";
-  })
-  .options("/*", ({ set, request }) => {
-    const origin = request.headers.get("origin") || "*";
-    set.headers["access-control-allow-origin"] = origin;
-    set.headers["access-control-allow-credentials"] = "true";
-    set.headers["access-control-allow-methods"] = "GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS";
-    set.headers["access-control-allow-headers"] = "Content-Type, Authorization";
-    set.status = 204;
-    return null;
+    Object.assign(set.headers, CORS_HEADERS, SECURITY_HEADERS);
+    if (request.method === "OPTIONS") {
+      set.status = 204;
+      return new Response(null, { status: 204, headers: { ...CORS_HEADERS, ...SECURITY_HEADERS, "access-control-allow-origin": origin } });
+    }
   })
   .get("/", () => ({
     name: "PingQL API",