diff --git a/app.py b/app.py
index 6678703..3ef22d6 100644
--- a/app.py
+++ b/app.py
@@ -24,6 +24,14 @@ logging.basicConfig(
 )
 logger = logging.getLogger(__name__)
 
+# CORS Configuration
+ALLOWED_ORIGINS = [
+    "https://game-timer.virtonline.eu",
+    # Add other allowed origins if needed
+]
+ALLOWED_METHODS = ["POST", "OPTIONS"]
+ALLOWED_HEADERS = ["Content-Type"]
+
 class FlicButtonHandler:
     def __init__(self):
         # Load button configurations
@@ -193,7 +201,35 @@ def create_app():
     app = web.Application()
     handler = FlicButtonHandler()
 
-    # Setup routes
+    async def options_handler(request):
+        """Handle OPTIONS requests for CORS preflight."""
+        origin = request.headers.get('Origin', '')
+        if origin in ALLOWED_ORIGINS:
+            headers = {
+                'Access-Control-Allow-Origin': origin,
+                'Access-Control-Allow-Methods': ', '.join(ALLOWED_METHODS),
+                'Access-Control-Allow-Headers': ', '.join(ALLOWED_HEADERS),
+                'Access-Control-Max-Age': '86400',  # 24 hours
+            }
+            return web.Response(status=200, headers=headers)
+        return web.Response(status=403)  # Forbidden origin
+
+    async def add_cors_headers(request, response):
+        """Add CORS headers to normal responses."""
+        origin = request.headers.get('Origin', '')
+        if origin in ALLOWED_ORIGINS:
+            response.headers['Access-Control-Allow-Origin'] = origin
+            response.headers['Access-Control-Expose-Headers'] = 'Content-Type'
+        return response
+
+    # Register middleware
+    app.on_response_prepare.append(add_cors_headers)
+
+    # Setup routes with OPTIONS handlers
+    app.router.add_route('OPTIONS', '/flic-webhook', options_handler)
+    app.router.add_route('OPTIONS', '/subscribe', options_handler)
+    
+    # Original routes
     app.router.add_post('/flic-webhook', handler.handle_flic_webhook)
     app.router.add_post('/subscribe', handler.handle_subscribe)