diff --git a/backend/infrastructure/security/src/main/kotlin/at/mocode/infrastructure/security/GlobalSecurityConfig.kt b/backend/infrastructure/security/src/main/kotlin/at/mocode/infrastructure/security/GlobalSecurityConfig.kt
index 37d76c8e..a90c6e5b 100644
--- a/backend/infrastructure/security/src/main/kotlin/at/mocode/infrastructure/security/GlobalSecurityConfig.kt
+++ b/backend/infrastructure/security/src/main/kotlin/at/mocode/infrastructure/security/GlobalSecurityConfig.kt
@@ -81,23 +81,13 @@ class GlobalSecurityConfig {
   @Bean
   fun corsConfigurationSource(): CorsConfigurationSource {
     val configuration = CorsConfiguration()
-    configuration.allowedOrigins = listOf(
-      "https://app.mo-code.at",
-      "https://api.mo-code.at",
-      "http://localhost:8080",
-      "http://localhost:8083",
-      "http://localhost:8092",
-      "http://localhost:4000"
-    )
-    configuration.allowedOriginPatterns = listOf(
-      "https://*.mo-code.at",
-      "http://localhost:[*]"
-    )
+    configuration.allowedOrigins = listOf("*")
+    configuration.allowedOriginPatterns = listOf("*")
     configuration.allowedMethods = listOf("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD")
     configuration.allowedHeaders = listOf("*")
-    configuration.exposedHeaders = listOf("Authorization", "Content-Type")
+    configuration.exposedHeaders = listOf("*")
     configuration.maxAge = 3600L
-    configuration.allowCredentials = true
+    configuration.allowCredentials = false
     val source = UrlBasedCorsConfigurationSource()
     source.registerCorsConfiguration("/**", configuration)
     return source
diff --git a/backend/services/mail/mail-service/src/main/kotlin/at/mocode/mail/service/MailServiceApplication.kt b/backend/services/mail/mail-service/src/main/kotlin/at/mocode/mail/service/MailServiceApplication.kt
index 8ce823fe..b6e1d345 100644
--- a/backend/services/mail/mail-service/src/main/kotlin/at/mocode/mail/service/MailServiceApplication.kt
+++ b/backend/services/mail/mail-service/src/main/kotlin/at/mocode/mail/service/MailServiceApplication.kt
@@ -20,11 +20,10 @@ class MailServiceApplication(private val env: Environment) {
     return object : WebMvcConfigurer {
       override fun addCorsMappings(registry: CorsRegistry) {
         registry.addMapping("/**")
-          .allowedOrigins("https://app.mo-code.at", "https://api.mo-code.at")
-          .allowedOriginPatterns("https://*.mo-code.at")
-          .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
+          .allowedOrigins("*")
+          .allowedMethods("*")
           .allowedHeaders("*")
-          .allowCredentials(true)
+          .allowCredentials(false)
       }
     }
   }
diff --git a/config/docker/caddy/web-app/Caddyfile b/config/docker/caddy/web-app/Caddyfile
index 60bd882c..260ce96c 100644
--- a/config/docker/caddy/web-app/Caddyfile
+++ b/config/docker/caddy/web-app/Caddyfile
@@ -23,22 +23,22 @@
 		@options method OPTIONS
 		handle @options {
 			header {
-				Access-Control-Allow-Origin "https://app.mo-code.at"
+				Access-Control-Allow-Origin "*"
 				Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
 				Access-Control-Allow-Headers "*"
-				Access-Control-Allow-Credentials "true"
+				Access-Control-Expose-Headers "*"
 				Access-Control-Max-Age "3600"
-				X-Caddy-CORS "preflight-v25"
+				X-Caddy-CORS "preflight-v26"
 			}
 			respond "" 204
 		}
 
 		header {
-			Access-Control-Allow-Origin "https://app.mo-code.at"
+			Access-Control-Allow-Origin "*"
 			Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
 			Access-Control-Allow-Headers "*"
-			Access-Control-Allow-Credentials "true"
-			X-Caddy-CORS "forward-v25"
+			Access-Control-Expose-Headers "*"
+			X-Caddy-CORS "forward-v26"
 			defer
 		}
 
diff --git a/frontend/shells/meldestelle-web/src/wasmJsMain/kotlin/at/mocode/frontend/shell/web/WebMainScreen.kt b/frontend/shells/meldestelle-web/src/wasmJsMain/kotlin/at/mocode/frontend/shell/web/WebMainScreen.kt
index 81d6dce2..3ad9acbd 100644
--- a/frontend/shells/meldestelle-web/src/wasmJsMain/kotlin/at/mocode/frontend/shell/web/WebMainScreen.kt
+++ b/frontend/shells/meldestelle-web/src/wasmJsMain/kotlin/at/mocode/frontend/shell/web/WebMainScreen.kt
@@ -69,7 +69,9 @@ fun MainAppContent() {
       is WebScreen.Nennung -> "/nennung/${screen.turnierId}"
       is WebScreen.Erfolg -> "/erfolg"
     }
-    setWindowHash("#$targetHash")
+    if (getWindowHash() != "#$targetHash") {
+      setWindowHash("#$targetHash")
+    }
   }
 
   Scaffold(
@@ -124,7 +126,7 @@ fun MainAppContent() {
       // Dezentraler Versions-Marker in der unteren rechten Ecke
       Box(modifier = Modifier.fillMaxSize().padding(8.dp), contentAlignment = Alignment.BottomEnd) {
         Text(
-          text = "v2026-04-23.25 - CADDY CATCH-ALL CORS",
+          text = "v2026-04-23.26 - NUCLEAR CORS v2",
           style = MaterialTheme.typography.labelSmall,
           color = Color.LightGray.copy(alpha = 0.5f)
         )