diff --git a/nginx.conf b/nginx.conf
index 65defc7..66d817a 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -32,7 +32,14 @@ http {
             proxy_set_header Host $proxy_host;
             proxy_ssl_server_name on;
 
-            # CORS headers
+            # Strip upstream CORS so we only send our own (duplicate = browser reject)
+            proxy_hide_header Access-Control-Allow-Origin;
+            proxy_hide_header Access-Control-Allow-Methods;
+            proxy_hide_header Access-Control-Allow-Headers;
+            proxy_hide_header Access-Control-Expose-Headers;
+            proxy_hide_header Access-Control-Max-Age;
+
+            # CORS headers — replace with our own *
             add_header Access-Control-Allow-Origin * always;
             add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH" always;
             add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Cache,X-NoCache,X-Status" always;