diff --git a/src/main/java/icu/samnyan/aqua/security/config/SecurityConfig.java b/src/main/java/icu/samnyan/aqua/security/config/SecurityConfig.java
index 669b5b4..fe8410c 100644
--- a/src/main/java/icu/samnyan/aqua/security/config/SecurityConfig.java
+++ b/src/main/java/icu/samnyan/aqua/security/config/SecurityConfig.java
@@ -1,9 +1,15 @@
 package icu.samnyan.aqua.security.config;
 
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.Arrays;
 
 /**
  * @author samnyan (privateamusement@protonmail.com)
@@ -12,10 +18,22 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
+    @Bean
+    CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowedOrigins(Arrays.asList("*"));
+        config.setAllowedHeaders(Arrays.asList("*"));
+        config.setAllowedMethods(Arrays.asList("GET", "PUT", "POST", "DELETE", "OPTIONS"));
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/api/**", config);
+        return source;
+    }
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http
                 .headers().disable()
+                .cors().and()
                 .csrf().disable()
                 .authorizeRequests()
                 .anyRequest().permitAll();