diff --git a/anyway/app_and_db.py b/anyway/app_and_db.py
index 671e95ee..b53143ba 100644
--- a/anyway/app_and_db.py
+++ b/anyway/app_and_db.py
@@ -38,7 +38,7 @@ def get_cors_config() -> dict:
         r"/api/infographics-data": {"origins": "*"},
         r"/api/infographics-data-by-location": {"origins": "*"},
         r"/api/gps-to-location": {"origins": "*"},
-        r"/api/news-flash": {"origins": "*", "methods": ["GET", "PATCH", "OPTIONS"]},
+        r"/api/news-flash/*": {"origins": "*", "methods": ["GET", "PATCH", "OPTIONS"], "supports_credentials": True},
         r"/api/news-flash-v2": {"origins": "*"},
         r"/api/embedded-reports": {"origins": "*"},
         r"/api/streets": {"origins": "*"},
diff --git a/anyway/flask_app.py b/anyway/flask_app.py
index aef0370f..e5a2055a 100755
--- a/anyway/flask_app.py
+++ b/anyway/flask_app.py
@@ -1097,14 +1097,6 @@ def acc_in_area_query():
 
 app.add_url_rule("/api/v1/news-flash", endpoint=None, view_func=news_flash, methods=["GET"])
 
-
-@app.after_request
-def add_allow_methods_header(response):
-    if request.path.startswith("/api/news-flash/"):
-        response.headers['Access-Control-Allow-Methods'] = "GET, POST, PATCH"
-        response.headers['Access-Control-Allow-Origin'] = "*"
-    return response
-
 nf_parser = reqparse.RequestParser()
 nf_parser.add_argument("id", type=int, help="News flash id")
 nf_parser.add_argument("source", type=str, help="news flash source")
@@ -1176,7 +1168,7 @@ def datetime_to_str(val: datetime.datetime) -> str:
 )
 
 
-@api.route("/api/news-flash/<int:news_flash_id>", methods=["GET", "PATCH"])
+@api.route("/api/news-flash/<int:news_flash_id>", methods=["GET", "PATCH", "OPTIONS"])
 class ManageSingleNewsFlash(Resource):
     @api.doc("get single news flash")
     @api.response(404, "News flash not found")