diff --git a/caddy/Caddyfile.local b/caddy/Caddyfile.local
index 0a9cf6ff..b2013e35 100644
--- a/caddy/Caddyfile.local
+++ b/caddy/Caddyfile.local
@@ -13,6 +13,27 @@
 		format console
 	}
 
+	header {
+		Access-Control-Allow-Origin "http://localhost:5173" # allows the Vue app (running on localhost:5173) to make requests.
+		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" # Specifies which methods are allowed.
+		Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent" # allows the custom headers needed by the API.
+	}
+
+	# This handles the browser's "preflight" OPTIONS request.
+	@preflight {
+		method OPTIONS
+		header Origin *
+	}
+
+	handle @preflight {
+		# Reflect the Origin back so it's always allowed
+		header Access-Control-Allow-Origin "{http.request.header.Origin}"
+		header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		header Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+		header Access-Control-Max-Age "86400"
+		respond 204
+	}
+
 	# Reverse proxy all incoming requests to the 'api' service.
 	# 	- The service name 'api' is resolved by Docker's internal DNS to the correct container IP on the 'caddy_net' network.
 	# 	- The API container listens on port 8080 (from the ENV_HTTP_PORT).
diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index fb18f704..07a90b9e 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -31,6 +31,26 @@ oullin.io {
 	#	- header_up: Preserve the original Host header.
 	#	- header_up X-*: Forward the client headers.
 	handle_path /api/* {
+		header {
+			Access-Control-Allow-Origin "https://oullin.io"
+			Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+			Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+		}
+
+		@preflight {
+			method OPTIONS
+			header Origin *
+		}
+
+		handle @preflight {
+			# Reflect the Origin back so it's always allowed
+			header Access-Control-Allow-Origin "{http.request.header.Origin}"
+			header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+			header Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+			header Access-Control-Max-Age "86400"
+			respond 204
+		}
+
 		reverse_proxy api:8080 {
 			header_up Host {host}
 			header_up X-API-Username {http.request.header.X-API-Username}