diff --git a/src/app.ts b/src/app.ts
index 9e89e8a..cd128d2 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -25,6 +25,12 @@ const CORS_CACHE_TTL_MS =
   Number(process.env.CORS_CACHE_TTL_MS) || 5 * 60 * 1000;
 
 app.use((req, res, next) => {
+  const publicCorsOptions = {
+    origin: "*",
+    methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"],
+    credentials: false, // must be false when origin is "*"
+  };
+  return (cors(publicCorsOptions) as any)(req, res, next);
   // Check if this is a public API endpoint that should allow any origin
   const isPublicAPIEndpoint =
     req.path.match(/^\/[^\/]+\/transfer-va\/(inquiry|payment)$/) ||
@@ -48,19 +54,10 @@ app.use((req, res, next) => {
     ) => {
       // allow non-browser requests with no origin (curl/server-to-server)
       if (!origin) return callback(null, true);
-
-      // Normalize client key from headers (case-insensitive). Note: during
-      // browser preflight (OPTIONS) the browser will NOT send the actual
-      // custom header values; it only sends Access-Control-Request-Headers
-      // listing the header names. That means we cannot rely on header values
-      // being present on OPTIONS. To improve reliability we also accept a
-      // clientKey via query parameter and fall back to matching the origin
-      // against the `whitelistcors` table below.
       const cacheKey = "__default__";
 
       (async () => {
         try {
-          const cached = corsCache.get(cacheKey);
           let allowedOrigins: string[] = [];
           allowedOrigins = (process.env.DEFAULT_CORS_ORIGINS || "")
             .split(",")