diff --git a/docker/nginx.conf b/docker/nginx.conf
index 7d4c4c55..b3fa9f1b 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -28,14 +28,18 @@ http {
         add_header X-Content-Type-Options nosniff always;
         add_header X-XSS-Protection "1; mode=block" always;
 
-        # CORS headers for Electron iframe
-        add_header Access-Control-Allow-Origin * always;
+        # CORS headers for Electron iframe - reflect the origin for credentials support
+        add_header Access-Control-Allow-Origin $http_origin always;
         add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, PATCH" always;
         add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always;
         add_header Access-Control-Allow-Credentials "true" always;
 
         # Handle preflight requests
         if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin $http_origin always;
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, PATCH" always;
+            add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always;
+            add_header Access-Control-Allow-Credentials "true" always;
             return 204;
         }