diff --git a/src/server/index.ts b/src/server/index.ts
index 4cb98f5..80088ca 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -245,8 +245,18 @@ db.run(`
 `)
 db.run('CREATE INDEX IF NOT EXISTS idx_analytics_daily_date ON analytics_daily(date)')
 
-// Middleware
-app.use('*', cors())
+// Middleware - CORS: credentials=true requires explicit origin, not '*'
+// When credentials: 'include' is used in fetch(), browser requires concrete origin
+app.use('*', cors({
+  origin: (origin) => {
+    // Echo back the requesting origin if it exists (null = no origin header)
+    return origin || '*'
+  },
+  credentials: true,
+  allowHeaders: ['Origin', 'Content-Type', 'Accept', 'X-Requested-With'],
+  allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+  maxAge: 86400
+}))
 app.use('*', logger())
 
 // Serve static files FIRST for all contexts