diff --git a/lib/expressapp.js b/lib/expressapp.js
index 726b1e6..83f6c34 100644
--- a/lib/expressapp.js
+++ b/lib/expressapp.js
@@ -27,18 +27,26 @@ ExpressApp.start = function(opts) {
   WalletService.initialize(opts.WalletService);
   var app = express();
   app.use(function(req, res, next) {
-    res.setHeader('Access-Control-Allow-Origin', '*');
+    if (req.headers.cookie) {
+      res.setHeader('Access-Control-Allow-Origin', '*');
+    }
+    else {
+      res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
+    }
     res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, DELETE');
-    res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,Content-Type,Authorization');
+    res.setHeader('Access-Control-Allow-Headers', 'x-signature,x-identity,X-Requested-With,Content-Type,Authorization');
     next();
   });
   var allowCORS = function(req, res, next) {
     if ('OPTIONS' == req.method) {
-      res.sendStatus(200);
+      var headers = {};
+      headers['Access-Control-Allow-Credentials'] = true;
+      res.writeHead(200, headers);
       res.end();
-      return;
     }
-    next();
+    else {
+      next();
+    }
   }
   app.use(allowCORS);