diff --git a/app.py b/app.py
index 7046ea9..a2846a0 100644
--- a/app.py
+++ b/app.py
@@ -1,11 +1,27 @@
-from flask import Flask
+from flask import Flask, request, jsonify
 from flask_cors import CORS
 from db import init_db
 from routes.api import api
 from routes.dashboard import dashboard
 
 app = Flask(__name__)
-CORS(app)  # Allow cross-origin requests from the Tampermonkey script
+
+CORS(app, resources={r"/*": {"origins": "*"}}, supports_credentials=False)
+
+# Belt-and-suspenders: inject CORS headers on every response,
+# including error responses that flask-cors might miss.
+@app.after_request
+def add_cors_headers(response):
+    response.headers['Access-Control-Allow-Origin']  = '*'
+    response.headers['Access-Control-Allow-Methods'] = 'GET, POST, DELETE, OPTIONS'
+    response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
+    return response
+
+# Explicitly handle OPTIONS preflight for all routes
+@app.route('/', defaults={'path': ''}, methods=['OPTIONS'])
+@app.route('/<path:path>', methods=['OPTIONS'])
+def handle_options(path):
+    return jsonify({}), 200
 
 app.register_blueprint(api)
 app.register_blueprint(dashboard)
@@ -13,4 +29,4 @@ app.register_blueprint(dashboard)
 if __name__ == '__main__':
     init_db()
     print("✅ Grepolis Remote — DB initialised")
-    app.run(host='0.0.0.0', port=5050, debug=True)
+    app.run(host='0.0.0.0', port=5050, debug=True)
\ No newline at end of file