diff --git a/internal/server/middleware.go b/internal/server/middleware.go
index eec6f5c..cb663ec 100644
--- a/internal/server/middleware.go
+++ b/internal/server/middleware.go
@@ -7,7 +7,7 @@ import "net/http"
 func enableCORS(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("access-control-allow-origin", "*")
-		w.Header().Set("access-control-allow-method", "post")
+		w.Header().Set("access-control-allow-methods", "options, post")
 		w.Header().Set("access-control-allow-headers", "authorization, content-type")
 		w.Header().Set("access-control-max-age", "3600")
 		if r.Method == http.MethodOptions {
diff --git a/internal/server/middleware_test.go b/internal/server/middleware_test.go
index 45739eb..fba2d61 100644
--- a/internal/server/middleware_test.go
+++ b/internal/server/middleware_test.go
@@ -31,8 +31,8 @@ func Test_enableCORS(t *testing.T) {
 		if w.Header().Get("access-control-allow-origin") != "*" {
 			t.Errorf("invalid access-control-allow-origin")
 		}
-		if w.Header().Get("access-control-allow-method") != "post" {
-			t.Errorf("invalid access-control-allow-method")
+		if w.Header().Get("access-control-allow-methods") != "options, post" {
+			t.Errorf("invalid access-control-allow-methods")
 		}
 		if w.Header().Get("access-control-allow-headers") != "authorization, content-type" {
 			t.Errorf("invalid access-control-allow-headers")