diff --git a/src/main/java/se/urmo/hemhub/config/SecurityConfig.java b/src/main/java/se/urmo/hemhub/config/SecurityConfig.java
index 39dfd35..c9fd33e 100644
--- a/src/main/java/se/urmo/hemhub/config/SecurityConfig.java
+++ b/src/main/java/se/urmo/hemhub/config/SecurityConfig.java
@@ -2,6 +2,8 @@ package se.urmo.hemhub.config;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;                  // 👈
+import org.springframework.security.config.Customizer;   // 👈
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -21,12 +23,14 @@ public class SecurityConfig {
     SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
                 .csrf(AbstractHttpConfigurer::disable)
+                .cors(Customizer.withDefaults())
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(
                                 "/public/**",
                                 "/actuator/health", "/actuator/info",
                                 "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html"
                         ).permitAll()
+                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                         .anyRequest().authenticated()
                 )
                 .oauth2ResourceServer(oauth -> oauth.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtConverter())));
@@ -37,12 +41,12 @@ public class SecurityConfig {
     CorsConfigurationSource corsConfigurationSource() {
         var config = new CorsConfiguration();
         config.setAllowedOrigins(List.of(
-                "http://localhost:5173",          // dev-SPA
-                "https://rubble.se"               // prod-origin (SPA under /hemhub/app/)
+                "http://localhost:5173",   // dev-SPA
+                "https://rubble.se"        // prod-origin (SPA ligger under subpath men origin är domen)
         ));
         config.setAllowedMethods(List.of("GET","POST","PATCH","DELETE","OPTIONS"));
         config.setAllowedHeaders(List.of("Authorization","Content-Type","Accept"));
-        config.setAllowCredentials(false); // vi använder Bearer, inte cookies
+        config.setAllowCredentials(false); // Bearer, inga cookies
         config.setMaxAge(3600L);
 
         var source = new UrlBasedCorsConfigurationSource();
@@ -57,4 +61,3 @@ public class SecurityConfig {
         return converter;
     }
 }
-