diff --git a/src/main/java/de/avatic/lcc/config/SecurityConfig.java b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
index f53200a..c3f7811 100644
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@@ -101,13 +101,11 @@ public class SecurityConfig {
         return http.build();
     }
 
-    // Production CORS Configuration
     @Bean
     @Profile("!dev & !test")
     public CorsConfigurationSource prodCorsConfigurationSource() {
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
 
-
-        // CORS for /oauth2/token
         CorsConfiguration tokenConfiguration = new CorsConfiguration();
         if ("*".equals(oauthTokenCors)) {
             tokenConfiguration.setAllowedOriginPatterns(List.of("*"));
@@ -120,33 +118,35 @@ public class SecurityConfig {
                 tokenConfiguration.setAllowedOrigins(Arrays.asList(tokenOrigins));
             }
         }
+        tokenConfiguration.setAllowedMethods(Arrays.asList("POST", "OPTIONS"));
+        tokenConfiguration.setAllowedHeaders(List.of("*"));
+        tokenConfiguration.setAllowCredentials(true);
+        tokenConfiguration.setMaxAge(3600L);
+
+
+        source.registerCorsConfiguration("/oauth2/token", tokenConfiguration);
+
 
         CorsConfiguration configuration = new CorsConfiguration();
-
         if ("*".equals(allowedCors)) {
             configuration.setAllowedOriginPatterns(List.of("*"));
         } else {
-            // Parse comma-separated origins from property
             String[] origins = allowedCors.split(",");
             for (int i = 0; i < origins.length; i++) {
                 origins[i] = origins[i].trim();
             }
-
             if (origins.length != 0) {
                 configuration.setAllowedOrigins(Arrays.asList(origins));
             }
         }
-
         configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
         configuration.setAllowedHeaders(List.of("*"));
         configuration.setAllowCredentials(true);
         configuration.setMaxAge(3600L);
-
         configuration.setExposedHeaders(Arrays.asList("X-Total-Count", "X-Page-Count", "X-Current-Page"));
 
-        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);
-        source.registerCorsConfiguration("/oauth2/token", tokenConfiguration);
+
         return source;
     }