diff --git a/next.config.js b/next.config.js
index a155ece75..941c44825 100644
--- a/next.config.js
+++ b/next.config.js
@@ -17,6 +17,22 @@ const headers = [
     key: 'X-DNS-Prefetch-Control',
     value: 'on',
   },
+  {
+    key: 'Access-Control-Allow-Credentials',
+    value: 'true',
+  },
+  {
+    key: 'Access-Control-Allow-Origin',
+    value: '*',
+  },
+  {
+    key: 'Access-Control-Allow-Headers',
+    value: 'Content-Type',
+  },
+  {
+    key: 'Access-Control-Allow-Methods',
+    value: 'GET, OPTIONS, PATCH, DELETE, POST, PUT',
+  },
   {
     key: 'Content-Security-Policy',
     value: contentSecurityPolicy
@@ -26,6 +42,11 @@ const headers = [
   },
 ];
 
+headers.push({
+  key: 'Access-Control-Allow-Origin',
+  value: '*',
+});
+
 if (process.env.FORCE_SSL) {
   headers.push({
     key: 'Strict-Transport-Security',
diff --git a/package.json b/package.json
index 0f437c355..923a07a7d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "umami",
-  "version": "2.9.0",
+  "version": "2.9.1",
   "description": "A simple, fast, privacy-focused alternative to Google Analytics.",
   "author": "Mike Cao <mike@mikecao.com>",
   "license": "MIT",
diff --git a/src/pages/api/auth/login.ts b/src/pages/api/auth/login.ts
index e1007b3c4..0f6f5324b 100644
--- a/src/pages/api/auth/login.ts
+++ b/src/pages/api/auth/login.ts
@@ -70,6 +70,8 @@ export default async (
     log('Login failed:', { username, user });
 
     return unauthorized(res, 'message.incorrect-username-password');
+  } else if (req.method === 'OPTIONS') {
+    return ok(res);
   }
 
   return methodNotAllowed(res);
diff --git a/test.html b/test.html
new file mode 100644
index 000000000..27aec1b14
--- /dev/null
+++ b/test.html
@@ -0,0 +1,28 @@
+<html>
+<script>
+    async function postData(url = "", data = {}) {
+  // Default options are marked with *
+  const response = await fetch(url, {
+    method: "GET", // *GET, POST, PUT, DELETE, etc.
+    mode: "cors", // no-cors, *cors, same-origin
+    cache: "no-cache", // *default, no-cache, reload, force-cache, only-if-cached
+    credentials: "same-origin", // include, *same-origin, omit
+    headers: {
+      "Content-Type": "application/json",
+      'Access-Control-Allow-Origin': '*',
+      "Authorization":"Bearer 6QEzcKYfrgQAemg1Z5e9oGwbGzPy2OAV3UH2N5IQF0Z7MwIhqtWTTCBCnQQcuFQEUJa3lXfkwD8G/SbFPKklcfDfbszJqIdxeDPwWbPY0ogSGebEVdz9lZBb0dQmgSEOEpVgG4ux+Qt18PzYX6fLEbCMqO6wR7A3Z5StDDct6s35kEQj1fW7ln7HXkgp22MJx3hqNgJ/01D6avAA+dv2A8uG3j64zaqmlK0S4tntczXbXGfR8u9x3qmMm74o+JMcfSnRiNMVA0zbDOVHx4w/GKzqfYs3HASY+qN7upwYIYPSk4AAY2o24cfVn5ZPGqyRuF91RXechyVe98n4tBll1edQ+XkqrAXQ6w==",
+      "Orgin":"localhost"
+      // 'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    redirect: "follow", // manual, *follow, error
+    referrerPolicy: "no-referrer", // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
+    //body: JSON.stringify(data), // body data type must match "Content-Type" header
+  });
+  return response.json(); // parses JSON response into native JavaScript objects
+}
+
+postData("http://localhost:8080/api/websites/", { answer: 42 }).then((data) => {
+  console.log(data); // JSON data parsed by `data.json()` call
+});
+</script>
+</htm>
\ No newline at end of file
diff --git a/yarn.lock b/yarn.lock
index adfcc8370..b24830a3c 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1,8 +1,6 @@
 # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
 # yarn lockfile v1
 
-strict-ssl false
-enableStrictSsl false
 
 "@aashutoshrathi/word-wrap@^1.2.3":
   version "1.2.6"