diff --git a/docker/ploughshares/app.py b/docker/ploughshares/app.py
index dd358e4..ebc3a6e 100644
--- a/docker/ploughshares/app.py
+++ b/docker/ploughshares/app.py
@@ -154,8 +154,13 @@ def add_api_headers(response):
         # Add CORS headers for API routes
         response.headers['Access-Control-Allow-Origin'] = '*'
         response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
-        response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
+        response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control'
+        response.headers['Access-Control-Allow-Credentials'] = 'true'
+        response.headers['Access-Control-Max-Age'] = '3600'
         response.headers['Cross-Origin-Resource-Policy'] = 'cross-origin'
+        # Remove COEP for API routes as it can block some clients
+        if 'Cross-Origin-Embedder-Policy' in response.headers:
+            del response.headers['Cross-Origin-Embedder-Policy']
     else:
         # For UI routes, add additional security headers
         for header, value in additional_headers.items():
@@ -169,7 +174,9 @@ def api_options(path):
     response = jsonify({'status': 'ok'})
     response.headers['Access-Control-Allow-Origin'] = '*'
     response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
-    response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
+    response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control'
+    response.headers['Access-Control-Allow-Credentials'] = 'true'
+    response.headers['Access-Control-Max-Age'] = '3600'
     return response
 
 # Create a test API endpoint to verify the CSP settings