diff --git a/Cargo.lock b/Cargo.lock
index ce7e949..6fb9953 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -653,6 +653,7 @@ dependencies = [
  "thiserror 2.0.17",
  "time",
  "tokio",
+ "tower-http",
  "tower-sessions",
  "tower-sessions-sqlx-store",
  "utoipa",
@@ -2792,6 +2793,22 @@ dependencies = [
  "tower-service",
 ]
 
+[[package]]
+name = "tower-http"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e9cd434a998747dd2c4276bc96ee2e0c7a2eadf3cae88e52be55a05fa9053f5"
+dependencies = [
+ "bitflags",
+ "bytes",
+ "http",
+ "http-body",
+ "http-body-util",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+]
+
 [[package]]
 name = "tower-layer"
 version = "0.3.3"
diff --git a/Cargo.toml b/Cargo.toml
index e4ee190..6de78d4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -9,6 +9,7 @@ sea-orm = { version = "1.0", features = ["sqlx-postgres", "runtime-tokio-rustls"
 sea-orm-migration = { version = "1.0", default-features = false, features = ["sqlx-postgres", "runtime-tokio-rustls"] }
 dotenvy = "0.15.7"
 axum = { version = "0.7", features = ["json"] }
+tower-http = { version = "0.5", features = ["cors"] }
 chrono = { version = "0.4.42", features = ["serde"] }
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0"
diff --git a/src/lib.rs b/src/lib.rs
index 3a42d17..72eed44 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -11,6 +11,8 @@ use tower_sessions::{Expiry, SessionManagerLayer};
 use tower_sessions_sqlx_store::PostgresStore;
 use axum_login::AuthManagerLayerBuilder;
 use time::Duration;
+use tower_http::cors::CorsLayer;
+use axum::http::{Method, HeaderValue};
 
 pub mod models;
 pub mod services;
@@ -133,7 +135,22 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
     let swagger_ui = SwaggerUi::new("/swagger-ui")
         .url("/api-docs/openapi.json", ApiDoc::openapi());
 
-    let app = api_routes.merge(swagger_ui);
+    let cors = CorsLayer::new()
+        .allow_origin([
+            "http://localhost:3000".parse::<HeaderValue>().unwrap(),
+            "http://localhost:8080".parse::<HeaderValue>().unwrap(),
+        ])
+        .allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE, Method::OPTIONS])
+        .allow_headers([
+            axum::http::header::CONTENT_TYPE,
+            axum::http::header::AUTHORIZATION,
+            axum::http::header::ACCEPT,
+        ])
+        .allow_credentials(true);
+
+    let app = api_routes
+        .layer(cors)
+        .merge(swagger_ui);
 
     Ok(app)
 }