diff --git a/nginx.conf b/nginx.conf
index 151c7a4..a6c7158 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -27,6 +27,13 @@ map $http_upgrade $connection_upgrade {
     '' close;
 }
 
+# CORS: reflect Origin if present (fixes credentials-mode restriction)
+# If no Origin header -> do not send A-C-A-Origin
+map $http_origin $cors_origin {
+    ""                          "";
+    ~^https?://[^/]+$           $http_origin;
+}
+
 server {
     listen 80;
     server_name my-public-node-8.projscale.dev;
@@ -49,7 +56,7 @@ server {
     ssl_session_cache shared:SSL:10m;
     ssl_session_timeout 1d;
     ssl_session_tickets off;
-    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable after confirming HTTPS only
+    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
     # Общие параметры для стабильности и больших файлов
     client_max_body_size 10G;
@@ -69,10 +76,12 @@ server {
     add_header Referrer-Policy strict-origin-when-cross-origin always;
     add_header X-Request-Id $req_id always;
 
-    # CORS (для API и префлайтов)
-    add_header Access-Control-Allow-Origin * always;
-    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PATCH, HEAD" always;
+    # CORS: apply globally; specific locations may add extra Expose/Allow lists
+    add_header Access-Control-Allow-Origin $cors_origin always;
+    add_header Access-Control-Allow-Credentials "true" always;
+    add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD" always;
     add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Tus-Resumable, tus-resumable, Upload-Length, upload-length, Upload-Offset, upload-offset, Upload-Metadata, upload-metadata, Upload-Defer-Length, upload-defer-length, Upload-Concat, upload-concat, x-file-name, x-last-chunk, x-chunk-start, x-upload-id, x-request-id" always;
+    add_header Vary "Origin" always;
 
     # Статика фронтенда (SPA)
     location / {
@@ -123,10 +132,14 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Request-Id $req_id;
-        add_header Access-Control-Allow-Origin * always;
+
+        # CORS for tus
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
         add_header Access-Control-Allow-Methods "GET, POST, PATCH, HEAD, OPTIONS" always;
         add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent, Tus-Resumable, Upload-Length, Upload-Offset, Upload-Metadata, Upload-Defer-Length, Upload-Concat" always;
         add_header Access-Control-Expose-Headers "Location, Upload-Offset, Tus-Version, Tus-Resumable, Tus-Max-Size, Tus-Extension" always;
+        add_header Vary "Origin" always;
 
         if ($request_method = OPTIONS) { return 204; }
     }
@@ -152,10 +165,14 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Request-Id $req_id;
-        add_header Access-Control-Allow-Origin * always;
+
+        # CORS for file GET/HEAD
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
         add_header Access-Control-Allow-Methods "GET, HEAD, OPTIONS" always;
         add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent" always;
         add_header Access-Control-Expose-Headers "Location, Upload-Offset, Tus-Version, Tus-Resumable, Tus-Max-Size, Tus-Extension" always;
+        add_header Vary "Origin" always;
 
         if ($request_method = OPTIONS) { return 204; }
     }
@@ -181,9 +198,12 @@ server {
         proxy_send_timeout 300s;
         proxy_read_timeout 300s;
 
-        add_header Access-Control-Allow-Origin * always;
-        add_header Access-Control-Allow-Methods "GET, HEAD, OPTIONS" always;
-        add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent" always;
+        # CORS for API
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD" always;
+        add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site" always;
+        add_header Vary "Origin" always;
 
         # Вебсокеты (на будущее)
         proxy_set_header Upgrade $http_upgrade;
@@ -201,4 +221,4 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Request-Id $req_id;
     }
-}
+}
\ No newline at end of file