diff --git a/src/main/java/blacktokkies/toquiz/config/secure/SecurityConfig.java b/src/main/java/blacktokkies/toquiz/config/secure/SecurityConfig.java
index a8e88cf..f5284a8 100644
--- a/src/main/java/blacktokkies/toquiz/config/secure/SecurityConfig.java
+++ b/src/main/java/blacktokkies/toquiz/config/secure/SecurityConfig.java
@@ -10,6 +10,11 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.Collections;
 
 @Configuration
 @EnableWebSecurity
@@ -17,14 +22,30 @@
 public class SecurityConfig {
     private final JwtAuthenticationFilter jwtAuthFilter;
     private final AuthenticationProvider authenticationProvider;
-    private final CustomAccessDeniedHandler customAccessDeniedHandler;
     private final CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
 
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration = new CorsConfiguration();
+
+        configuration.setAllowedOriginPatterns(Collections.singletonList("*"));
+        configuration.addAllowedHeader("*");
+        configuration.addAllowedMethod("*");
+        configuration.setAllowCredentials(true);
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
+        return source;
+    }
+
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
+            .httpBasic().disable()
             .csrf()
-            .disable();
+            .disable()
+            .cors()
+            .configurationSource(corsConfigurationSource());
 
         http.authorizeHttpRequests()
             .requestMatchers(
@@ -37,7 +58,6 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
             .authenticated();
 
         http.exceptionHandling()
-            .accessDeniedHandler(customAccessDeniedHandler)
             .authenticationEntryPoint(customAuthenticationEntryPoint);
 
         http.sessionManagement()