diff --git a/apps/core/src/bootstrap.ts b/apps/core/src/bootstrap.ts
index 193480ec..6f75880f 100644
--- a/apps/core/src/bootstrap.ts
+++ b/apps/core/src/bootstrap.ts
@@ -42,6 +42,7 @@ export async function bootstrap() {
 
   const allowAllCors: FastifyCorsOptions = {
     credentials: true,
+    methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
     origin: (origin, callback) => callback(null, origin || ''),
   }
   // Origin 如果不是数组就全部允许跨域
@@ -69,6 +70,7 @@ export async function bootstrap() {
             credentials: true,
             preflightContinue: false,
             optionsSuccessStatus: 204,
+            methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
           }
         : allowAllCors,
   )
diff --git a/apps/core/src/modules/auth/auth.implement.ts b/apps/core/src/modules/auth/auth.implement.ts
index 344e3bd8..4762e975 100644
--- a/apps/core/src/modules/auth/auth.implement.ts
+++ b/apps/core/src/modules/auth/auth.implement.ts
@@ -138,12 +138,6 @@ export async function CreateAuth(
 
   const handler = async (req: IncomingMessage, res: ServerResponse) => {
     try {
-      res.setHeader('access-control-allow-methods', 'GET, POST')
-      res.setHeader('access-control-allow-headers', 'content-type')
-      res.setHeader(
-        'Access-Control-Allow-Origin',
-        req.headers.origin || req.headers.referer || req.headers.host || '*',
-      )
       res.setHeader('access-control-allow-credentials', 'true')
 
       const clonedRequest = new IncomingMessage(req.socket)