diff --git a/routes/api/_middleware.ts b/routes/api/_middleware.ts
index 4cbce21..e7e4bd1 100644
--- a/routes/api/_middleware.ts
+++ b/routes/api/_middleware.ts
@@ -39,7 +39,14 @@ function handle_auth(req: Request, ctx: MiddlewareHandlerContext) {
 export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
     const m = get_task_manager();
     if (!(handle_auth(req, ctx))) {
-        return return_error(401, "Unauthorized");
+        const headers: HeadersInit = {};
+        const origin = req.headers.get("origin");
+        if (origin) {
+            const c = m.cfg.cors_credentials_hosts.includes(origin);
+            headers["Access-Control-Allow-Origin"] = c ? origin : "*";
+            if (c) headers["Access-Control-Allow-Credentials"] = "true";
+        }
+        return return_error(401, "Unauthorized", 401, headers);
     }
     const res = await ctx.next();
     if (req.method === "OPTIONS" && res.status === 405) {
diff --git a/server/utils.ts b/server/utils.ts
index 40357e8..5abf173 100644
--- a/server/utils.ts
+++ b/server/utils.ts
@@ -29,8 +29,10 @@ function gen_response<T>(
 export function return_error<T = unknown>(
     status: Exclude<number, 0>,
     error: string,
+    http_status = 200,
+    headers: HeadersInit = {},
 ) {
-    return gen_response<T>({ ok: false, status, error });
+    return gen_response<T>({ ok: false, status, error }, http_status, headers);
 }
 
 export function return_data<T = unknown>(