diff --git a/config.ts b/config.ts
index ec80483..b072f56 100644
--- a/config.ts
+++ b/config.ts
@@ -24,6 +24,7 @@ export type ConfigType = {
     remove_previous_gallery: boolean;
     img_verify_secret?: string;
     meili_hosts?: Record<string, string>;
+    cors_credentials_hosts: Array<string>;
 };
 
 export enum ThumbnailMethod {
@@ -149,6 +150,16 @@ export class Config {
         }
         return undefined;
     }
+    get cors_credentials_hosts(): Array<string> {
+        if (Array.isArray(this._data.cors_credentials_hosts)) {
+            const hosts: Array<string> = [];
+            for (const i of this._data.cors_credentials_hosts) {
+                if (typeof i === "string") hosts.push(i);
+            }
+            return hosts;
+        }
+        return [];
+    }
     to_json(): ConfigType {
         return {
             cookies: typeof this.cookies === "string",
@@ -173,6 +184,7 @@ export class Config {
             remove_previous_gallery: this.remove_previous_gallery,
             img_verify_secret: this.img_verify_secret,
             meili_hosts: this.meili_hosts,
+            cors_credentials_hosts: this.cors_credentials_hosts,
         };
     }
 }
diff --git a/routes/api/_middleware.ts b/routes/api/_middleware.ts
index 8af49cc..4cbce21 100644
--- a/routes/api/_middleware.ts
+++ b/routes/api/_middleware.ts
@@ -37,6 +37,7 @@ function handle_auth(req: Request, ctx: MiddlewareHandlerContext) {
 }
 
 export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
+    const m = get_task_manager();
     if (!(handle_auth(req, ctx))) {
         return return_error(401, "Unauthorized");
     }
@@ -47,10 +48,11 @@ export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
         if (allow) headers.set("Allow", allow);
         const origin = req.headers.get("origin");
         if (origin) {
-            headers.set("Access-Control-Allow-Origin", origin);
+            const c = m.cfg.cors_credentials_hosts.includes(origin);
+            headers.set("Access-Control-Allow-Origin", c ? origin : "*");
             if (allow) headers.set("Access-Control-Allow-Methods", allow);
             headers.set("Access-Control-Allow-Headers", "Content-Type, Range");
-            headers.set("Access-Control-Allow-Credentials", "true");
+            if (c) headers.set("Access-Control-Allow-Credentials", "true");
         }
         return new Response(null, { status: 204, headers });
     } else {
@@ -58,8 +60,9 @@ export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
         const headers = new Headers(res.headers);
         const origin = req.headers.get("origin");
         if (origin) {
-            headers.set("Access-Control-Allow-Origin", origin);
-            headers.set("Access-Control-Allow-Credentials", "true");
+            const c = m.cfg.cors_credentials_hosts.includes(origin);
+            headers.set("Access-Control-Allow-Origin", c ? origin : "*");
+            if (c) headers.set("Access-Control-Allow-Credentials", "true");
         }
         if (ctx.state.is_from_cookie && ctx.state.token) {
             const m = get_task_manager();
diff --git a/routes/file/_middleware.ts b/routes/file/_middleware.ts
index ada9ead..a469a72 100644
--- a/routes/file/_middleware.ts
+++ b/routes/file/_middleware.ts
@@ -1,17 +1,20 @@
 import { MiddlewareHandlerContext } from "$fresh/server.ts";
+import { get_task_manager } from "../../server.ts";
 
 export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
     const res = await ctx.next();
+    const m = get_task_manager();
     if (req.method === "OPTIONS" && res.status === 405) {
         const headers = new Headers();
         const allow = res.headers.get("Accept");
         if (allow) headers.set("Allow", allow);
         const origin = req.headers.get("origin");
         if (origin) {
-            headers.set("Access-Control-Allow-Origin", origin);
+            const c = m.cfg.cors_credentials_hosts.includes(origin);
+            headers.set("Access-Control-Allow-Origin", c ? origin : "*");
             if (allow) headers.set("Access-Control-Allow-Methods", allow);
             headers.set("Access-Control-Allow-Headers", "Content-Type, Range");
-            headers.set("Access-Control-Allow-Credentials", "true");
+            if (c) headers.set("Access-Control-Allow-Credentials", "true");
         }
         return new Response(null, { status: 204, headers });
     } else {
@@ -19,8 +22,9 @@ export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
         const headers = new Headers(res.headers);
         const origin = req.headers.get("origin");
         if (origin) {
-            headers.set("Access-Control-Allow-Origin", origin);
-            headers.set("Access-Control-Allow-Credentials", "true");
+            const c = m.cfg.cors_credentials_hosts.includes(origin);
+            headers.set("Access-Control-Allow-Origin", c ? origin : "*");
+            if (c) headers.set("Access-Control-Allow-Credentials", "true");
         }
         return new Response(res.body, {
             status: res.status,