diff --git a/src/main/java/team7/inplace/security/config/CorsConfig.java b/src/main/java/team7/inplace/security/config/CorsConfig.java
index 424a4552..a677572e 100644
--- a/src/main/java/team7/inplace/security/config/CorsConfig.java
+++ b/src/main/java/team7/inplace/security/config/CorsConfig.java
@@ -16,8 +16,20 @@ public CorsFilter corsFilter() {
         config.setAllowCredentials(true);
         config.addAllowedOrigin("https://www.inplace.my");
         config.addAllowedOriginPattern("https://api.inplace.my");
-        config.addAllowedHeader("*");
-        config.addAllowedMethod("*");
+        config.addAllowedHeader("Origin");
+        config.addAllowedHeader("Accept");
+        config.addAllowedHeader("X-Requested-With");
+        config.addAllowedHeader("Content-Type");
+        config.addAllowedHeader("Access-Control-Request-Method");
+        config.addAllowedHeader("Access-Control-Request-Headers");
+        config.addAllowedHeader("Authorization");
+        config.addAllowedMethod("GET");
+        config.addAllowedMethod("POST");
+        config.addAllowedMethod("PUT");
+        config.addAllowedMethod("DELETE");
+        config.addAllowedMethod("OPTIONS");
+        config.addAllowedHeader("PATCH");
+        config.addAllowedMethod("HEAD");
         source.registerCorsConfiguration("/**", config);
         return new CorsFilter(source);
     }