diff --git a/go_cloud/internal/middleware/middleware.go b/go_cloud/internal/middleware/middleware.go
index 70d25e9..46eec90 100644
--- a/go_cloud/internal/middleware/middleware.go
+++ b/go_cloud/internal/middleware/middleware.go
@@ -36,7 +36,11 @@ func CORS(allowedOrigins string) func(http.Handler) http.Handler {
 				w.Header().Set("Access-Control-Allow-Origin", "*")
 			}
 			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
-			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+			allowHeaders := []string{"Content-Type", "Authorization", "Range", "Accept", "Origin", "X-Requested-With"}
+			if reqHeaders := r.Header.Get("Access-Control-Request-Headers"); reqHeaders != "" {
+				allowHeaders = append(allowHeaders, reqHeaders)
+			}
+			w.Header().Set("Access-Control-Allow-Headers", strings.Join(uniqueStrings(allowHeaders), ", "))
 			w.Header().Set("Access-Control-Expose-Headers", "Content-Length, Content-Type, Content-Disposition")
 			w.Header().Set("Access-Control-Max-Age", "3600")
 
@@ -72,6 +76,24 @@ func compileAllowedOrigins(origins string) ([]string, bool) {
 	return allowed, allowAll
 }
 
+func uniqueStrings(values []string) []string {
+	seen := make(map[string]struct{})
+	var out []string
+	for _, v := range values {
+		trimmed := strings.TrimSpace(v)
+		if trimmed == "" {
+			continue
+		}
+		key := strings.ToLower(trimmed)
+		if _, ok := seen[key]; ok {
+			continue
+		}
+		seen[key] = struct{}{}
+		out = append(out, trimmed)
+	}
+	return out
+}
+
 func isOriginAllowed(origin string, allowed []string) bool {
 	if origin == "" {
 		return false