diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml
index fc08ee1..564e5b6 100644
--- a/backend/docker-compose.yml
+++ b/backend/docker-compose.yml
@@ -73,7 +73,7 @@ services:
       HARBOR_PASSWORD: ${HARBOR_PASSWORD:-}
       NFS_SERVER: ${NFS_SERVER:-}
       NFS_SHARE: ${NFS_SHARE:-}
-      ALLOWED_DEV_ORIGINS: ${ALLOWED_DEV_ORIGINS:-}
+      ALLOWED_DEV_ORIGINS: ${ALLOWED_DEV_ORIGINS:-*}
     ports:
       - "${BACKEND_PORT:-8080}:8080"
     volumes:
diff --git a/infra/nginx/default.conf b/infra/nginx/default.conf
index 33b5bb8..11f38fe 100644
--- a/infra/nginx/default.conf
+++ b/infra/nginx/default.conf
@@ -46,7 +46,21 @@ server {
 
     # API 请求代理到 backend 服务
     location /api/ {
-        add_header Content-Security-Policy $csp_header always;
+        # Allow CORS for API endpoints
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain; charset=utf-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
+
         proxy_pass         http://ocdp-backend:8080;
         proxy_http_version 1.1;
         proxy_set_header   Host $host;