diff --git a/src/cors.js b/src/cors.js
index 8b060e2..7616f44 100644
--- a/src/cors.js
+++ b/src/cors.js
@@ -1,6 +1,17 @@
 function setCorsHeaders(request, response, corsConfig) {
 	const origin = request.headers.get('Origin');
-	const matchingOrigin = corsConfig.allow_origins.find((allowedOrigin) => allowedOrigin === origin);
+	console.log('Origin:', origin);
+	const matchingOrigin = corsConfig.allow_origins.find((allowedOrigin) => {
+		if (allowedOrigin === origin) {
+			return true;
+		}
+		if (allowedOrigin === '*') {
+			return true;
+		}
+		return false;
+	});
+
+	console.log('Matching Origin:', matchingOrigin);
 
 	const headers = new Headers(response.headers);
 	headers.set('Access-Control-Allow-Origin', matchingOrigin || corsConfig.allow_origins[0]);
diff --git a/src/index.js b/src/index.js
index 7d6e497..199586e 100644
--- a/src/index.js
+++ b/src/index.js
@@ -145,8 +145,6 @@ export default {
 					}
 				}
 
-				console.log('Matched path:', matchedPath.config);
-
 				if (matchedPath.config.integration && matchedPath.config.integration.type == IntegrationTypeEnum.HTTP_PROXY) {
 					const server =
 						sagContext.apiConfig.servers &&
@@ -229,14 +227,16 @@ export default {
 					const phone = requestBody.phone;
 
 					if (email) {
-						return await supabaseEmailOTP(env, email);
+						const response = await supabaseEmailOTP(env, email)
+						return setPoweredByHeader(setCorsHeaders(request, response, sagContext.apiConfig.cors));
 					} else if (phone) {
-						return await supabasePhoneOTP(env, phone);
+						const response = await supabasePhoneOTP(env, phone)
+						return setPoweredByHeader(setCorsHeaders(request, response, sagContext.apiConfig.cors));
 					} else {
-						return new Response(safeStringify({ error: 'Missing email or phone', code: 'missing_email_or_phone' }), {
+						return setPoweredByHeader(setCorsHeaders(new Response(safeStringify({ error: 'Missing email or phone', code: 'missing_email_or_phone' }), {
 							status: 400,
 							headers: { 'Content-Type': 'application/json' },
-						});
+						})));
 					}
 				} else if (matchedPath.config.integration && matchedPath.config.integration.type == IntegrationTypeEnum.SUPABASEPASSWORDLESSVERIFY) {
 					const requestBody = await request.json();