diff --git a/index.js b/index.js
index 0ad1fabe..09eb58cf 100644
--- a/index.js
+++ b/index.js
@@ -20,6 +20,32 @@ import contactRoutes from "./src/routes/contact.routes.js";
 
 const app = express();
 
+// Handler explicite pour les requêtes preflight OPTIONS
+app.options('*', (req, res) => {
+  const allowedOrigins = [
+    "http://localhost:3000",
+    "http://localhost:3001",
+    "http://localhost:3002",
+    "http://localhost:3003",
+    "http://localhost:3004",
+    "http://localhost:3005",
+    "https://dsp5-archi-o24a-15m-g3.fr",
+    "https://dev.dsp5-archi-o24a-15m-g3.fr",
+    "https://preprod.dsp5-archi-o24a-15m-g3.fr"
+  ];
+  const origin = req.headers.origin;
+  if (!origin || allowedOrigins.includes(origin)) {
+    res.header('Access-Control-Allow-Origin', origin || '*');
+  } else {
+    res.header('Access-Control-Allow-Origin', origin); // Autorise tout en dev
+  }
+  res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
+  res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
+  res.header('Access-Control-Allow-Credentials', 'true');
+  res.header('Access-Control-Max-Age', '86400');
+  res.sendStatus(204);
+});
+
 // CORS doit être configuré AVANT helmet
 app.use(
   cors({