diff --git a/backend/infrastructure/security/src/main/kotlin/at/mocode/infrastructure/security/GlobalSecurityConfig.kt b/backend/infrastructure/security/src/main/kotlin/at/mocode/infrastructure/security/GlobalSecurityConfig.kt
index 5b7440ba..37d76c8e 100644
--- a/backend/infrastructure/security/src/main/kotlin/at/mocode/infrastructure/security/GlobalSecurityConfig.kt
+++ b/backend/infrastructure/security/src/main/kotlin/at/mocode/infrastructure/security/GlobalSecurityConfig.kt
@@ -90,10 +90,13 @@ class GlobalSecurityConfig {
       "http://localhost:4000"
     )
     configuration.allowedOriginPatterns = listOf(
-      "*"
+      "https://*.mo-code.at",
+      "http://localhost:[*]"
     )
-    configuration.allowedMethods = listOf("GET", "POST", "PUT", "DELETE", "OPTIONS")
+    configuration.allowedMethods = listOf("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD")
     configuration.allowedHeaders = listOf("*")
+    configuration.exposedHeaders = listOf("Authorization", "Content-Type")
+    configuration.maxAge = 3600L
     configuration.allowCredentials = true
     val source = UrlBasedCorsConfigurationSource()
     source.registerCorsConfiguration("/**", configuration)
diff --git a/docs/03_Journal/2026-04-23_Plan-B-Formulare.md b/docs/03_Journal/2026-04-23_Plan-B-Formulare.md
index fa0640e3..5edaf298 100644
--- a/docs/03_Journal/2026-04-23_Plan-B-Formulare.md
+++ b/docs/03_Journal/2026-04-23_Plan-B-Formulare.md
@@ -64,3 +64,10 @@ Die "Hallo Du!" Test-UI wurde durch produktive, fachlich korrekte Formulare erse
     - Implementierung einer `WebMvcConfigurer` Bean direkt in `MailServiceApplication.kt` für ein zweites, redundantes CORS-Mapping.
     - Lockerung der `allowedOriginPatterns` in `GlobalSecurityConfig.kt` auf `*`.
 - **Status**: Versionsmarker auf v19 aktualisiert.
+
+### v2026-04-23.20 - CLOUDFLARE DNS VERIFIED & CORS POLISHING
+- **Analyse**: DNS-Einträge in Cloudflare geprüft (Screenshot). Alle Einträge stehen auf "Nur DNS" (graue Wolke). Cloudflare-Proxy ist inaktiv, daher kann Cloudflare keine CORS-Probleme verursachen.
+- **Lösung**: 
+    - CORS-Konfiguration in `GlobalSecurityConfig.kt` finalisiert: Whitelist für `https://*.mo-code.at` und `http://localhost:[*]` verfeinert.
+    - `allowedMethods` um `HEAD` erweitert und `exposedHeaders` hinzugefügt, um Browser-Warnungen zu eliminieren.
+- **Status**: Versionsmarker auf v2026-04-23.20 aktualisiert.
diff --git a/docs/ScreenShots/Cloudflare_DNS-Eintraege_2026-04-23_12-37.png b/docs/ScreenShots/Cloudflare_DNS-Eintraege_2026-04-23_12-37.png
new file mode 100644
index 00000000..fd2732c0
Binary files /dev/null and b/docs/ScreenShots/Cloudflare_DNS-Eintraege_2026-04-23_12-37.png differ
diff --git a/frontend/shells/meldestelle-web/src/wasmJsMain/kotlin/at/mocode/frontend/shell/web/WebMainScreen.kt b/frontend/shells/meldestelle-web/src/wasmJsMain/kotlin/at/mocode/frontend/shell/web/WebMainScreen.kt
index 7c208e7a..ea1a1804 100644
--- a/frontend/shells/meldestelle-web/src/wasmJsMain/kotlin/at/mocode/frontend/shell/web/WebMainScreen.kt
+++ b/frontend/shells/meldestelle-web/src/wasmJsMain/kotlin/at/mocode/frontend/shell/web/WebMainScreen.kt
@@ -124,7 +124,7 @@ fun MainAppContent() {
       // Dezentraler Versions-Marker in der unteren rechten Ecke
       Box(modifier = Modifier.fillMaxSize().padding(8.dp), contentAlignment = Alignment.BottomEnd) {
         Text(
-          text = "v2026-04-23.19 - NUCLEAR CORS FIX",
+          text = "v2026-04-23.20 - CLOUDFLARE DNS VERIFIED",
           style = MaterialTheme.typography.labelSmall,
           color = Color.LightGray.copy(alpha = 0.5f)
         )